Everything we're taught about mobile security assumes the same basic attack model: an attacker needs to get something onto your device. A malicious link. A compromised app. A file that, once opened, gives them a foothold. The advice that follows from this model is reasonable — don't click unknown links, keep your software updated, be cautious about what you install.
That model is incomplete. And a new investigation published by the Citizen Lab at the University of Toronto this week documents exactly how.
The investigation, titled Bad Connection, details two separate surveillance campaigns against high-value individuals. In the first, a single target — described as a VVIP — was tracked continuously for four hours. Attackers queried the target's location using the global mobile carrier network, cycling through eleven different operator identities across nine countries each time a defensive layer interrupted their access. The target's phone was never touched. No interaction was required. The device appeared completely normal throughout.
This wasn't a demonstration or a proof of concept. It was a documented, operational surveillance campaign — the kind used against real people with real information that real actors want access to.
To understand how this works, it helps to understand something about how the global mobile network is built.
When your phone works abroad — when a call reaches you in another country, or a message gets through while you're roaming — it's because mobile carriers around the world are constantly exchanging signals with each other. These signals handle the logistics: where is this subscriber right now, which network are they on, how do we route traffic to them. The protocols that govern this exchange — SS7 for older 3G networks, Diameter for 4G — were designed decades ago, when the number of entities with access to this system was small and largely trusted.
That assumption no longer holds. Access to the SS7 and Diameter signalling systems has expanded significantly over time, and the verification mechanisms built into these protocols are limited. An entity that can connect to this system — legitimately or otherwise — can send queries that look, to the network, like routine carrier-to-carrier communication. Including queries that ask: where is this phone right now?
The practical consequence is that location tracking can be conducted through the network infrastructure itself, without any interaction with the target's device. The phone's owner receives no notification. Nothing installs. Nothing changes. The attack surface isn't the phone — it's the system the phone connects to.
The second campaign documented in the Citizen Lab report introduces a different and more invasive technique. Rather than querying the network for location data, this attack delivered a hidden SMS message directly to the target's device — a message the user never saw, carrying no visible notification.
The SMS contained commands targeting a small application embedded in many SIM cards called the S@T Browser — a legacy piece of software originally designed to allow carriers to send over-the-air updates to SIM cards. In many devices it has never been disabled. The SIMjacker attack exploited it to silently instruct the SIM card to report the device's location back to attacker-controlled infrastructure.
The distinction from the first technique is important. The SS7/Diameter attack operates entirely outside the device — the phone is simply a subscriber on a network being queried. SIMjacker reaches inside the device, to the SIM card specifically. The SIM card is a separate hardware component with its own processor, its own applications, and its own communication channel with the carrier network — operating largely independently of the phone's operating system.
What both techniques share: the target would not know they were being surveilled. Nothing on the surface of the device would indicate it.
The Citizen Lab is careful about attribution in this report, and so will we be here. What the investigation documents is the existence of commercial platforms — built and sold by surveillance vendors — that provide these capabilities to state and non-state clients. The targets in the documented campaigns are high-value individuals: government officials, executives, people whose location and communications are of strategic interest to someone.
That targeting profile matters. This is not mass surveillance infrastructure deployed broadly. It is precision surveillance, used selectively against people whose movements and communications are considered worth tracking. For organizations in government, defense, diplomacy, or critical infrastructure — and for the individuals within those organizations who carry sensitive information — the question of whether their mobile communications present an exploitable surface is no longer theoretical.
This is where honesty requires some nuance. The SS7 and Diameter vulnerabilities documented in this report are not software bugs that can be patched by a phone manufacturer or fixed by a user updating their device. They are architectural characteristics of global telecommunications infrastructure — infrastructure that involves hundreds of carriers, legacy systems, and international coordination to change. Progress is being made, but slowly, and unevenly across carriers and regions.
What organizations can do is reduce the value and consequence of being located. Compartmentalizing sensitive communications. Understanding which individuals within an organization represent high-value surveillance targets. Auditing whether devices used for sensitive functions carry SIM cards with legacy applications like the S@T Browser still enabled. And treating mobile communications security not as a device-configuration problem but as an organizational risk management question.
The full Citizen Lab report, including technical indicators and methodology, is available at citizenlab.ca. For organizations operating in high-risk environments, it is worth reading in full.
This is the third post in a three-part series. Read the introduction here and the NCSC advisory breakdown here.