Full Report
Senior research fellow Gary Miller spoke to Financial Times about attempts to exploit mobile network vulnerabilities to track US personnel during the Iran war. The post US Military Smartphones Targeted Through Roaming and Ad Tech appeared first on The Citizen Lab.
Analysis Summary
# Incident Report: Surveillance Targeting US Military via Mobile Network Vulnerabilities
## Executive Summary
State-sponsored Iranian actors exploited long-standing vulnerabilities in global mobile roaming protocols (SS7) and advertising technology to track the real-time locations of US military personnel. The campaign provided continuous, high-precision geo-location data of specific high-value targets during periods of active regional conflict.
## Incident Details
- **Discovery Date:** July 2026 (Public disclosure/Reporting date)
- **Incident Date:** Ongoing; highlighted during the Iran-US conflict period
- **Affected Organization:** United States Department of Defense (Personnel)
- **Sector:** Government / Defense
- **Geography:** Middle East / Iran
## Timeline of Events
### Initial Access
- **Date/Time:** Circa 2024-2026 (Continuous exploitation)
- **Vector:** Exploitation of Signaling System No. 7 (SS7) and Advertising Intelligence (Ad Tech).
- **Details:** Attackers leveraged the inherent lack of authentication in the SS7 protocol, which manages how cellular networks route calls and data across international borders (roaming).
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; instead, the attackers "moved" across global telecommunications provider boundaries by sending malicious signaling queries to request location data for specific IMSI/MSISDN numbers.
### Data Exfiltration/Impact
- **Details:** Real-time, continuous location data was exfiltrated. This allowed for the mapping of troop movements, identification of covert facilities, and potential targeting of individuals.
### Detection & Response
- **How it was discovered:** Analysis by senior research fellows (Gary Miller) and forensic observation of signaling traffic linked to Iranian mobile operators.
- **Response actions taken:** Intelligence reporting to the *Financial Times* and Citizen Lab to raise public and policy awareness of roaming vulnerabilities.
## Attack Methodology
- **Initial Access:** Exploitation of legacy telecommunications protocols (SS7/Diameter) and the purchase of "Ad Tech" metadata.
- **Persistence:** Continuous polling of home location registers (HLR) through Iranian-controlled mobile operators.
- **Privilege Escalation:** Not applicable; exploit relies on the "trusted" nature of global roaming interconnects.
- **Defense Evasion:** Location queries disguised as legitimate "Provide Subscriber Information" (PSI) requests used for standard roaming services.
- **Discovery:** Passive and active reconnaissance of US personnel mobile identifiers (phone numbers/IMSI).
- **Collection:** Gathering of GPS coordinates or cell-tower triangulation data.
- **Exfiltration:** Location data transmitted back to Iranian state-linked operators via standard signaling responses.
- **Impact:** High-precision physical tracking of military personnel in active conflict zones.
## Impact Assessment
- **Financial:** Undisclosed; involves significant investment in signaling firewalls and secure comms.
- **Data Breach:** High-sensitivity PII (Personal Identifiable Information) and real-time physical location data.
- **Operational:** Significant compromise to operational security (OPSEC); movement of sensitive assets became visible to adversaries.
- **Reputational:** High; demonstrates vulnerability of standard-issue or personal commercial devices in military contexts.
## Indicators of Compromise
- **Network Indicators:** Unusual volumes of `AnyTimeInterrogation` (ATI) or `ProvideSubscriberInfo` (PSI) requests originating from Iranian-linked Global Titles (GTs).
- **Behavioral Indicators:** Rapid battery drain on target devices caused by frequent "silent" location polling.
## Response Actions
- **Containment:** Implementation of SS7 firewalls by Tier-1 carriers to block unauthorized location queries.
- **Eradication:** Identification and blacklisting of specific Iranian mobile operator nodes known to be sourcing tracking attempts.
- **Recovery:** Advising personnel on the use of secure communication apps and hardware-based location obfuscation.
## Lessons Learned
- **Protocol Obsolescence:** Legacy protocols like SS7 remain a "backdoor" into modern smartphones because they prioritize connectivity over security.
- **Commercial Data Risk:** The "Ad Tech" ecosystem provides an inexpensive way for foreign intelligence services to bolster their traditional signals intelligence (SIGINT).
- **Device Discipline:** Commercial smartphones are inherently insecure tracking beacons when brought into contested environments.
## Recommendations
- **Hardware:** Deploy managed mobile devices with hardened basebands or use "Go-Kits" that bypass cellular roaming.
- **Policy:** Enforce strict "no-phone" zones or the use of Faraday bags for personnel in high-risk geographies.
- **Infrastructure:** Pressure international telecom bodies to accelerate the transition to secure 5G cores and mandate the use of Signaling Firewalls that inspect the intent of roaming queries.