Your SIM Card Can Be Turned Into a Tracking Device — Without Touching Your Phone
There’s a question worth sitting with for a moment: how many apps have you checked for location access this week?
Most people have gone through that routine. Audit the permissions, revoke the suspicious ones, maybe switch to a privacy browser. It feels productive. The problem is that the surveillance described in Citizen Lab’s new report has nothing to do with apps. It happens in the pipes underneath — in the protocols that connect mobile networks around the world — and there is nothing on your phone that would show you it’s happening.
On April 23, 2026, Citizen Lab released “Bad Connection,” documenting two separate campaigns by commercial surveillance vendors who set up ghost telecom companies, gained access to the global mobile signaling network, and used that access to track people’s phone locations. No device compromise. No phishing link. Just fraudulent queries, running through the same infrastructure that routes your international roaming.
Direct Answer: What are the SS7 and Diameter vulnerabilities and can they track your phone?
SS7 (Signaling System 7) is the protocol set that underpins global mobile networks — originally designed in 1975, still in use for 3G networks and international roaming. It has a fundamental architectural problem: it was built on the assumption that everyone with access to the network is a legitimate operator. There is no authentication. Anyone who can get into the SS7 network can send queries as though they are a mobile carrier, and the network will answer them. Diameter is the newer protocol, designed for 4G and 5G, and it does have authentication mechanisms built in — but most carriers have not actually turned them on, because doing so disrupts roaming partnerships. Citizen Lab’s April 2026 report found two sophisticated surveillance campaigns, STA1 and STA2, exploiting both protocols. The vendors behind them operated as “ghost operators” — front companies that obtained legitimate access to the signaling network — and used that access to locate specific phones. STA2 alone logged over 15,000 location-tracking attempts since 2022. The attacks are invisible on the target’s phone. There is no notification, no battery drain signature, no log entry.
Vucense 2026 Mobile Privacy Threat Index
How different attack vectors that track your phone compare on stealth, reach, and what actually reduces your exposure.
| Attack Vector | Requires Device Compromise | Visible to Target | Carrier Can Block | Individual Mitigation | Threat Level |
|---|---|---|---|---|---|
| SS7 location tracking (STA1) | ❌ None | ❌ Completely invisible | ✅ With signaling firewall | ⚠️ Limited — Signal helps, SMS vuln remains | Critical |
| Diameter location tracking (STA2) | ❌ None | ❌ Completely invisible | ✅ With proper Diameter filtering | ⚠️ Same as SS7 | Critical |
| SIMjacker (silent SMS to SIM) | ❌ None | ❌ Message never shown | ✅ Block deprecated OTA commands | ⚠️ Limited | Critical |
| IMSI Catcher / Stingray | ❌ None | ❌ Invisible | ❌ You need the knowledge to fight it | ✅ Faraday bag, airplane mode | High |
| App-level location tracking | ✅ App installed | ⚠️ Permissions list | ✅ OS permission controls | ✅ Revoke permissions | Moderate |
| Spyware / Pegasus | ✅ Zero-click exploit | ❌ Hidden | ❌ Hard to block | ✅ Regular updates, MVT scan | Critical (targeted) |
Threat level reflects severity for targeted individuals. SS7/Diameter attacks are generally not mass surveillance — they require per-target queries and are used against specific high-value targets.
What the Citizen Lab Report Actually Found
The investigation started with anomalous activity in signaling firewall logs — patterns that looked wrong but could be explained away. Citizen Lab worked with telecom security firm Cellusys, along with Telenor Linx and P1 Security, to correlate those patterns with global operator networks. What they found were two distinct campaigns with different methods but the same structural exploit at the core.
STA1 is the older and more versatile of the two. It runs on a combination of SS7 and Diameter, switching between them depending on which one works for the target network. Researchers found it linked to Israeli operator 019Mobile and British company Tango Networks UK, both used as “entry and transit points” for the surveillance traffic — meaning the queries flowed through these carriers to reach their targets, hiding behind legitimate-looking international roaming requests. The campaign used standard SS7 location queries (“Provide Subscriber Information”) to trick carriers into revealing which cell tower a phone was connected to. When SS7 attempts failed, the campaign switched to Diameter protocol attacks, exploiting the same fundamental trust model.
STA2 is quieter and more targeted. Instead of repeated network queries, it relied on a specific weapon: silent SMS messages sent directly to the SIM card. These messages, called OTA (Over-The-Air) commands, are designed for carriers to configure SIM cards remotely — useful for legitimate purposes like remotely provisioning SIM settings. They are processed by the SIM card itself and never displayed to the user. STA2 used them to trigger the phone to transmit its cell tower location back to an attacker-controlled system via a hidden return SMS. Researchers linked STA2 to infrastructure patterns previously associated with Swiss-based Fink Telecom Services (FTS). Over 15,000 tracking attempts were attributed to this campaign since 2022.
Gary Miller, one of the lead researchers, told TechCrunch that the STA1 campaign showed “clues pointing to an Israeli-based commercial geo-intelligence provider with specialized telecom capabilities.” Citizen Lab declined to name either vendor directly — a deliberate choice, explained by Ron Deibert, Citizen Lab’s director, in his newsletter: “Given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are.”
The report’s key finding isn’t just that these two campaigns existed. It’s that the researchers believe this is “a small snapshot of what they believe to be widespread exploitation.” Miller put it directly: “These two campaigns are just the tip of the iceberg. We focused on two campaigns in the global context of millions of attacks.”
The Structural Problem
SS7 was designed in the 1970s on a model of trust among a small club of national phone carriers. The assumption was that if you had access to the signaling network, you were legitimate. That assumption made sense when there were perhaps a hundred carriers globally, all state-owned, all with legal accountability in their jurisdictions.
Today, there are thousands of operators, wholesale carriers, and third-party signaling intermediaries worldwide. Obtaining access to the SS7 network is commercially available — you can lease what’s called a “global title” from an intermediary. This is how the ghost operators in Citizen Lab’s report gained their foothold: they obtained legitimate access credentials and then used them illegitimately.
Diameter was supposed to fix this. Designed for 4G and 5G, it includes authentication mechanisms, encryption options, and security controls that SS7 lacks entirely. The problem is that implementing these controls properly often breaks roaming partnerships, because the partner carrier also has to implement the same standards. The industry has collectively decided, across thousands of bilateral roaming agreements, to leave Diameter’s security features turned off rather than risk disrupting roaming revenue. The FCC opened a probe into both SS7 and Diameter vulnerabilities in 2024. Senator Ron Wyden has repeatedly pressed CISA for a comprehensive report. Neither has produced structural reform.
Who Gets Targeted — and Why This Matters Even If You’re Not a Journalist
Citizen Lab is careful to note that these campaigns appear to be targeted surveillance, not mass collection. The STA2 campaign logged 15,000 attempts over four years — roughly ten per day, spread across specific targets. This is not Strava passively logging every UK soldier’s run. It’s more deliberate: identify a target, run location queries, track movements over time.
The typical targets for SS7 surveillance are the same people who’ve historically attracted state-sponsored spyware: journalists covering sensitive stories, human rights defenders in authoritarian-adjacent environments, opposition politicians, corporate executives involved in sensitive negotiations, and occasionally their family members. If you are none of these things, your personal risk from STA1 and STA2 specifically is low.
But here’s why the structural story matters beyond the targeted victim count: the same infrastructure vulnerability that allows a commercial vendor to sell location tracking as a service to government clients can, in principle, be used by anyone who obtains signaling network access. The FCC’s 2024 probe documented that China, Iran, Israel, and Russia have all used SS7 vulnerabilities to “exploit US subscribers.” Saudi Arabia has been documented tracking its citizens through SS7 while they were physically in the United States. The distinction between “targeted state surveillance” and “your carrier’s data being accessible to foreign intelligence services” is thinner than it looks.
Two-factor authentication is the practical point where this becomes relevant to everyone. Many banks, email services, and social platforms still rely on SMS as their second authentication factor. An SS7 attacker who can intercept SMS messages — which the same network vulnerabilities enable — can receive your authentication code, use it to log in to your accounts, and leave no trace. This is not theoretical: SS7-based SIM interception was used in documented bank account takeovers years before the current report. The solution has been available for years; most people haven’t implemented it.
The SIMjacker Detail Deserves More Attention
The STA2 campaign’s SIMjacker-style attack is the one that should get more coverage than it has. Understanding it changes how you think about your phone as a device.
Your SIM card is not passive storage. It runs a small operating system — JavaCard — and can execute commands sent to it remotely by your carrier. This is legitimate and useful: carriers use OTA commands to push SIM configuration updates, enable features, and fix issues without requiring physical SIM replacement. The SIM executes these commands before the phone’s operating system sees them. They are invisible to you, invisible to your phone, and cannot be blocked by any app.
The SIMjacker attack works by sending a specially formatted OTA command from an attacker-controlled system through the SS7 network, targeting a specific phone number. The command instructs the SIM to collect the phone’s current cell tower identifier (the cell ID) and send it back via a hidden return SMS to the attacker’s system. The whole exchange happens at the SIM card level. Your phone’s screen stays off. No notification appears. Your battery drains by an immeasurable fraction. The attack is complete.
The mitigations are limited but not zero. Some carriers have disabled deprecated OTA commands that aren’t needed for modern SIM functionality — the specific command types SIMjacker abuses. This is the carrier’s responsibility, not yours. But there is one meaningful individual action: if your device is an iPhone, iOS 26+ includes enhanced SIM security controls. On Android, GrapheneOS provides the most comprehensive SIM security implementation available outside enterprise hardware security modules.
What You Can Actually Do
The honest answer is that SS7 and Diameter attacks are not something individuals can prevent at the network level. The vulnerability is in the infrastructure, owned and operated by carriers who have commercial incentives to maintain broad interoperability rather than implement security controls that might break roaming.
But there are meaningful things that reduce your exposure or the value of a successful attack.
Move your two-factor authentication off SMS, today. This is the highest-impact action for most readers. Install Aegis (Android, open-source) or Ente Auth (cross-platform, open-source, end-to-end encrypted) and move every account from SMS codes to TOTP codes. An SS7 attacker who can intercept your SMS messages cannot intercept the locally generated TOTP code from an app that never touches the network. Do your bank, your email, and your password manager first.
Use Signal for sensitive conversations. Signal’s encryption operates at the application layer, above the SS7 and Diameter protocols. An attacker who can track your location via SS7 cannot read your Signal messages. Regular SMS and calls are visible to anyone with SS7 access. Voice calls over Signal encrypt the audio end-to-end. This is not a complete solution — your location is still trackable even if your communications are secure — but it significantly reduces what the attacker gains from network access.
Understand what airplane mode actually does. Airplane mode disconnects your phone from the cellular network, which stops SS7 location queries from succeeding. It does not prevent location tracking via Wi-Fi or Bluetooth if those remain active. If you need genuine RF isolation — in contexts where you have specific reason to believe you’re a surveillance target — use a Faraday bag, not just airplane mode.
Ask your carrier directly about SS7 security. Most carriers have customer-facing security teams. Asking them whether they have deployed signaling firewalls and whether they block deprecated OTA commands is a legitimate question. Most carriers have done some version of this after years of public pressure; not all have been comprehensive. In the US, AT&T, Verizon, and T-Mobile have all deployed various signaling protections. The weaker links tend to be smaller regional carriers and international roaming partners.
For journalists, activists, and high-risk users: request a Mobile Verification Toolkit scan. The MVT (Mobile Verification Toolkit), developed by Amnesty International’s Security Lab, can scan both Android and iOS devices for indicators of compromise from known spyware including Pegasus. It won’t detect SS7 attacks directly — those leave no trace on the device — but it will surface other surveillance vectors that often accompany targeted campaigns. The Citizen Lab’s Security Without Borders programme provides direct support to civil society members facing elevated risk.
FAQ: SS7, Ghost Operators, and Your Phone
Q: What is SS7 and why is it still in use? SS7 is the signaling protocol that global mobile networks use to coordinate calls, SMS routing, and roaming across carriers. It was designed in 1975 and is still in active use because ripping it out would require coordinated replacement across thousands of carriers in dozens of countries simultaneously. International SMS and voice calls — including many bank authentication codes and verification messages — still route through SS7 infrastructure. It is not going away quickly; it is being patched around.
Q: Why can’t phone companies just fix SS7? The vulnerability is architectural, not a bug in a specific piece of software. SS7’s trust model assumes that everyone connected to the network is a legitimate carrier. Changing that assumption requires authenticating every query, which in turn requires every carrier globally to implement the same authentication standards simultaneously — a coordination problem involving thousands of independent companies across more than 200 countries, each with bilateral roaming agreements that would need renegotiation. The economic incentive to fix it is weaker than the economic incentive to maintain interoperability. Diameter was supposed to solve this, but carriers have left its security features disabled for the same reason.
Q: Are these attacks being used against regular people? Based on current evidence, SS7 and Diameter-based location tracking is primarily used for targeted surveillance — specific individuals of interest to government clients. The 15,000 STA2 tracking attempts over four years work out to roughly ten per day, suggesting discrete targets rather than mass collection. The risk to a random individual is currently low. The risk to journalists, activists, opposition politicians, or anyone whose movements might be of interest to a state-level actor is meaningfully higher.
Q: Does using a VPN protect against SS7 tracking? No. VPNs encrypt your internet traffic at the application layer. SS7 attacks operate at the network signaling layer, which is below the layer where VPN protection exists. A VPN prevents your ISP from seeing what websites you visit. It does nothing to prevent your carrier’s signaling infrastructure from revealing your cell tower location to an SS7 query. These are different attack surfaces. VPNs remain valuable for other privacy reasons; they are simply not relevant to this specific threat.
Q: Who are the surveillance vendors behind these campaigns? Citizen Lab declined to name either vendor, citing the opaque nature of the telecom signaling infrastructure and the difficulty of attribution. For STA1, researchers said clues point toward an Israeli-based commercial geo-intelligence provider. For STA2, the infrastructure overlaps with patterns previously associated with Fink Telecom Services (FTS), a Swiss-based firm. Both vendors’ government clients remain unidentified.
Q: What is the SIMjacker attack and how does it work? SIMjacker is a class of attack in which a specially formatted OTA (Over-The-Air) command is sent to a target’s SIM card via the SS7 network. The SIM card executes the command — collecting cell tower location data — and sends the result back to the attacker via a hidden SMS. The attack is entirely invisible to the user: the phone’s display never activates, no notification appears, and no log entry is created on the device. It was first documented by ENEA researchers in 2019. Citizen Lab’s STA2 campaign used a similar technique at scale.
Related Articles
- Google Gemini Is Scanning Your Photos — and the EU Said No
- Meta Is Keystroke-Logging 70,000 Employees to Train the AI That Will Replace Them
- Kyber Ransomware Claims Post-Quantum Encryption — But It’s Lying on ESXi
- Proton VPN Hits 145 Countries — Now the World’s Most Widely Covered VPN
- Netflix’s TikTok Feed Is Here — and It Knows You Better Than You Do
Sources & Further Reading
- Privacy Guides — Community-vetted privacy tool recommendations
- EFF Surveillance Self-Defense — Practical guides to protecting your digital privacy
- Electronic Frontier Foundation — Advocacy and research on digital rights
