To know where you are right now, someone who wants to follow you does not need to send you a link, guess your password, or install anything on your phone. Your number is enough. That is what the Citizen Lab, the University of Toronto lab that studies digital surveillance, documented in a report published in April: two commercial operations locating people across at least 18 countries, for years, without ever touching the target's device.
Almost every story of a compromised phone has a culprit on your end: an app you installed, an attachment you opened, a reused password. This one has none. The flaw is not in your phone, it is in the network that connects it to every other one. And over that network you control nothing.
How a phone is located without ever touching it
When you make a call abroad, or roam on another carrier's network, your phone does not talk directly to whoever is looking for it. It talks through a signalling system that operators worldwide share to exchange messages with one another. The oldest layer is called SS7 and has been in service since the 1970s; the version for 4G is called Diameter. They were designed for a closed club of operators that trusted each other, so they barely check who is asking. SS7 in particular does not authenticate the source of messages, does not confirm whether they were altered, and does not encrypt them. A message that says "tell me where this number's phone is" gets answered, as long as it looks like it came from inside the network.
And looking like you come from inside the network can be bought. The report names real operators used as entry points: 019 Mobile in Israel, Tango Networks in the United Kingdom, Airtel on the island of Jersey, a Swedish virtual operator. From a single access point, researchers counted more than 1,700 operations, the overwhelming majority of them pure location tracking. They identified two groups: one persistent, crossing SS7 and Diameter, adding up to more than 500 incidents since November 2022; the other combining the network tricks with an attack on the SIM card itself. They called that one SIMjacker: an invisible message that never shows on screen talks to a program hidden in the SIM card and returns your position without the phone so much as lighting up.
Why it is so hard to stop
Behind this are not teenagers in a bedroom, but companies that sell surveillance to governments. Researcher Swantje Lange, co-author of the study, notes that the direct targets are usually journalists, politicians, and opposition figures, but adds that the problem is "societally relevant" to everyone. The reason is simple: the machine does not tell who you are. The same request that locates a journalist locates any number, including yours.
The report sums up the problem in a sentence that should unsettle anyone with a phone in their pocket. The mobile ecosystem is "over a thousand operators interconnected through roaming agreements and signalling protocols that prioritize efficiency, service availability, and revenue opportunity over security". And it is not for lack of a remedy. The defence against these attacks exists and has a name: a signalling firewall, which refuses location requests coming from outside the network. The operators' own global association, the GSMA, has published the rules to deploy one for years. Even so, by the end of 2021, only about one in four operators worldwide had one installed. The door was not left open because it is hard to close; it was left open because closing it costs money and turns no profit.
This is where it becomes genuinely dangerous, and not because of the sophistication. What sets this kind of spying apart is that it leaves almost no trace on the victim's side. There is no notification, no melting battery, no strange app to find and uninstall. The proof of the intrusion lives in the carrier's signalling logs, which you never have access to. Whoever is being followed has no way of knowing it.
What you can do, and what is out of your hands
The honest part of this story is that, against location tracking done by the network itself, there is almost nothing you can do from the phone. That is the point. Even so, two things are worth doing:
- Update and lock down the device. Keeping the system updated and, on iPhone, turning on Lockdown Mode for those at real risk, such as journalists, activists, or public figures, blocks the variant that attacks the card, the SIMjacker one. It does not block the network queries.
- For what truly must stay private, leave the network. The only sure defence against signalling-based location remains airplane mode, or leaving the phone behind.
For years we were sold the idea that the blame for being watched always lies with whoever clicks the wrong link. This report shows the opposite. Here there is no wrong click and no poisoned app: there is a phone number and a network that, after fifty years, still has not learned to ask who is on the other end.
Original source: Citizen Lab, "Bad Connection".
#StaySafe
🙏🖖
