SS7, Diameter Flaws Let Attackers Track Mobile Users Globally
Key Takeaways Two sophisticated threat actors, STA1 and STA2, are actively exploiting critical vulnerabilities in global mobile network protocols (SS7 and Diameter) to track users worldwide. The...
Key Takeaways
- Two sophisticated threat actors, STA1 and STA2, are actively exploiting critical vulnerabilities in global mobile network protocols (SS7 and Diameter) to track users worldwide.
- The attacks leverage inherent trust models and weak security implementations in telecom networks, enabling “Ghost Operators” to bypass firewalls and mask their origins.
- STA1 primarily manipulates network routing and spoofs operator identities, while STA2 employs a more invasive approach using zero-click SMS payloads to extract location data directly from devices.
- The vulnerabilities stem from the SS7 protocol’s lack of authentication and weak security enforcement in the 4G Diameter protocol across the industry.
- Mobile operators are urged to move away from legacy trust models and implement strong cryptographic authentication to mitigate these pervasive surveillance threats.
Global Mobile Networks Under Siege: Sophisticated Actors Exploit Core Protocols for Worldwide Tracking
A recent in-depth investigation has brought to light the active exploitation of fundamental vulnerabilities within global mobile networks, enabling advanced threat actors to conduct pervasive surveillance and track users across international borders. These malicious entities are systematically leveraging weaknesses in both legacy and modern signaling protocols to bypass existing telecom defenses.
Table Of Content
The extensive research conducted by Citizen Lab identified two distinct surveillance groups, designated STA1 and STA2, which have been operating long-term espionage campaigns. These groups capitalize on the deep-seated trust inherent in global telecom interconnect networks to launch their attacks. By effectively operating as “Ghost Operators,” they manipulate routing data to obscure their true origins while precisely pinpointing the locations of high-value targets.
Exploiting SS7 and Diameter Protocols
The underlying cause of these global tracking capabilities lies in structural deficiencies within international mobile communication standards. The older 3G Signaling System No. 7 (SS7) protocol completely lacks essential authentication mechanisms. Concurrently, the newer 4G Diameter protocol, while more modern, suffers from inconsistent and often weak security implementations across the telecommunications industry.
Attackers frequently abuse “combined attach” procedures, which allow roaming devices to register simultaneously with both 3G and 4G networks. This functionality provides a seamless pathway for threat actors to pivot between protocols, exploiting weaknesses in either. Citizen Lab’s investigation detailed two distinct methodologies employed for covert mobile surveillance.
STA1: Network Routing Manipulator
STA1 primarily executes its tracking operations through sophisticated signaling routing manipulation. This threat actor rapidly switches between SS7 and Diameter protocols, probing for and exploiting vulnerabilities in telecom firewalls. STA1 effectively evades detection by spoofing network data, making its malicious requests appear as legitimate operator traffic. This allows its activities to blend seamlessly into the vast flow of global telecom communications.
STA2: Device-Level Exploitation
In contrast, STA2 employs a more aggressive approach, heavily relying on a zero-click binary SMS payload as its core attack vector. This actor’s strategy combines SS7 network probing with malicious SIM Toolkit commands to directly extract location data from the target’s mobile device. To maintain stealth, STA2 utilizes silent, low-priority push messages that do not trigger alerts or notifications on the victim’s phone, ensuring the surveillance remains undetected.
The ongoing surveillance crisis highlighted by Citizen Lab underscores a significant blind spot within the global telecommunications sector. Mobile operators frequently depend on third-party interconnect routing hubs that often possess dangerously weak traffic screening capabilities. Until the industry abandons its outdated peer-to-peer trust models and enforces robust cryptographic authentication across its infrastructure, mobile users worldwide will continue to be exposed to these insidious and unseen tracking threats.
What You Should Do
- Advocate for Stronger Security Standards: As a consumer, support initiatives and network providers that prioritize advanced security protocols and move away from legacy, unauthenticated systems.
- Limit Roaming When Possible: Be aware that roaming can expose your device to a wider array of network vulnerabilities, as traffic traverses multiple third-party networks.
- Stay Informed: Keep abreast of reports from cybersecurity researchers like Citizen Lab, which often identify critical vulnerabilities and provide insights into sophisticated attacks.
- Demand Industry Action: Encourage your mobile service provider to invest in enhanced security measures, including strict cryptographic authentication for all signaling protocols, to protect user privacy and location data.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.