Security researchers say they have discovered a new attack method being used by a Middle Eastern surveillance company to trick phone carriers into revealing the location of mobile phone users. The attack relied on bypassing security protections implemented by carriers to prevent intruders from accessing SS7, or Signaling System 7, a set of proprietary protocols used by global phone carriers to route user calls and text messages around the world. 

SS7 also allows carriers to request information about which cell tower a user's phone is connected to, often used for accurate billing when a customer makes a call or sends a text message to someone overseas, for example. 

Researchers at Enea, a cybersecurity firm that protects phone carriers, said this week that they observed an unnamed surveillance vendor using a new bypass attack as early as late 2024 to obtain the location of people's phones without their knowledge.

Enea VP of Technology Cathal Mc Daid, who co-authored the blog post, told TechCrunch that the company observed that the surveillance vendor was targeting only a "small number of users" and that the attack did not target all phone carriers. 

McDaid said bypass attacks could allow surveillance providers to locate individuals to the nearest cell tower, which can be as short as a few hundred meters in cities or densely populated areas.

Enea notified the phone carrier where it discovered the flaw was exploited, but declined to name the surveillance vendor, noting only that it was based in the Middle East. 

McDaid said the attack was part of a growing trend of malicious operators using such vulnerabilities to gain access to individuals' locations, and warned that vendors using these vulnerabilities "wouldn't have discovered and used them if they hadn't been successful somewhere." “We anticipate that more resources will be discovered and exploited.”

Surveillance vendors, including spyware developers and bulk internet traffic providers, are private companies that specialize in intelligence gathering activities targeting individuals, often for government clients. Governments often claim to use spyware and other exploitative technologies to target serious criminals, but these tools are also used to target members of civil society, including journalists and activists. 

In the past, surveillance vendors have gained access to SS7 through local phone carriers, abusing leased "global ownership" or through government connections. 

But because these attacks typically occur at the cellular network level, mobile phone users have little protection against them. The burden of defending against these attacks falls primarily on the shoulders of telecommunications companies. 

In recent years, phone companies have installed firewalls and other cybersecurity protections to defend against SS7 attacks, but the incompleteness of global cellular networks means that not all carriers are as protected as others, including those in the United States.

The Department of Homeland Security said as early as 2017 that some countries, notably China, Iran, Israel and Russia, had exploited vulnerabilities in SS7 to "exploit American users," according to a letter sent to Sen. Ron Wyden's office last year. Saudi Arabia has also been found to have abused vulnerabilities in SS7 to conduct surveillance on its citizens in the United States.