Vulnerabilities in Cellphone Roaming Let Spies and Criminals Track You Across the Globe

By focusing on the potential dangers of Chinese spy tech, we’ve ignored how roaming itself creates massive vulnerabilities, a new Citizen Lab report says.

A antennas of a cell tower appear bright in front of dark clouds in Munich, Germany, 12 February 2018. Photo: Lino Mirgeler/dpa (Photo by Lino Mirgeler/picture alliance via Getty Images)
A cellphone tower antenna is seen in Munich, Germany, on Feb. 12, 2018. Photo:Lino Mirgeler/Picture Alliance via Getty Images

The very obscure, archaic technologies that make cellphone roaming possible also makes it possible to track phone owners across the world, according to a new investigation by the University of Toronto’s Citizen Lab. The roaming tech is riddled with security oversights that make it a ripe target for those who might want to trace the locations of phone users.

As the report explains, the flexibility that made cellphones so popular in the first place is largely to blame for their near-inescapable vulnerability to unwanted location tracking: When you move away from a cellular tower owned by one company to one owned by another, your connection is handed off seamlessly, preventing any interruption to your phone call or streaming video. To accomplish this handoff, the cellular networks involved need to relay messages about who — and, crucially, precisely where — you are.

“Notably, the methods available to law enforcement and intelligence services are similar to those used by the unlawful actors and enable them to obtain individuals’ geolocation information.”

While most of these network-hopping messages are sent to facilitate legitimate customer roaming, the very same system can be easily manipulated to trick a network into divulging your location to governments, fraudsters, or private sector snoops.

“Foreign intelligence and security services, as well as private intelligence firms, often attempt to obtain location information, as do domestic state actors such as law enforcement,” states the report from Citizen Lab, which researches the internet and tech from the Munk School of Global Affairs and Public Policy at the University of Toronto. “Notably, the methods available to law enforcement and intelligence services are similar to those used by the unlawful actors and enable them to obtain individuals’ geolocation information with high degrees of secrecy.”

The sheer complexity required to allow phones to easily hop from one network to another creates a host of opportunities for intelligence snoops and hackers to poke around for weak spots, Citizen Lab says. Today, there are simply so many companies involved in the cellular ecosystem that opportunities abound for bad actors.

Citizen Lab highlights the IP Exchange, or IPX, a network that helps cellular companies swap data about their customers. “The IPX is used by over 750 mobile networks spanning 195 countries around the world,” the report explains. “There are a variety of companies with connections to the IPX which may be willing to be explicitly complicit with, or turn a blind eye to, surveillance actors taking advantage of networking vulnerabilities and one-to-many interconnection points to facilitate geolocation tracking.”

This network, however, is even more promiscuous than those numbers suggest, as telecom companies can privately sell and resell access to the IPX — “creating further opportunities for a surveillance actor to use an IPX connection while concealing its identity through a number of leases and subleases.” All of this, of course, remains invisible and inscrutable to the person holding the phone.

Citizen Lab was able to document several efforts to exploit this system for surveillance purposes. In many cases, cellular roaming allows for turnkey spying across vast distances: In Vietnam, researchers identified a seven-month location surveillance campaign using the network of the state-owned GTel Mobile to track the movements of African cellular customers. “Given its ownership by the Ministry of Public Security the targeting was either undertaken with the Ministry’s awareness or permission, or was undertaken in spite of the telecommunications operator being owned by the state,” the report concludes.

African telecoms seem to be a particular hotbed of roaming-based location tracking. Gary Miller, a mobile security researcher with Citizen Lab who co-authored the report, told The Intercept that, so far this year, he’d tracked over 11 million geolocation attacks originating from just two telecoms in Chad and the Democratic Republic of the Congo alone.


Texas State Police Purchased Israeli Phone-Tracking Software for “Border Emergency”

In another case, Citizen Lab details a “likely state-sponsored activity intended to identify the mobility patterns of Saudi Arabia users who were traveling in the United States,” wherein Saudi phone owners were geolocated roughly every 11 minutes.

The exploitation of the global cellular system is, indeed, truly global: Citizen Lab cites location surveillance efforts originating in India, Iceland, Sweden, Italy, and beyond.

While the report notes a variety of factors, Citizen Lab places particular blame with the laissez-faire nature of global telecommunications, generally lax security standards, and lack of legal and regulatory consequences.

As governments throughout the West have been preoccupied for years with the purported surveillance threats of Chinese technologies, the rest of the world appears to have comparatively avoided scrutiny. “While a great deal of attention has been spent on whether or not to include Huawei networking equipment in telecommunications networks,” the report authors add, “comparatively little has been said about ensuring non-Chinese equipment is well secured and not used to facilitate surveillance activities.”

Join The Conversation