Uncovering Global Telecom Exploitation by Covert Surveillanc...#2166
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Uncovering Global Telecom Exploitation by Covert Surveillanc...#2166carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/ Content Categories: Based on the analysis, this content was categorized under "Pentesting Network -> Telecom Network Exploitation (add subsections for SS7/Diameter roaming abuse, Diameter header spoofing/route steering, combined-attach SS7↔Diameter pivoting, and SIM/UICC hidden-SMS command tracking)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title / scope
Citizen Lab investigates two distinct covert surveillance actors ("telecom surveillance actors"), STA1 and STA2, abusing systemic weaknesses in international mobile signalling—SS7 (3G/legacy but still used for roaming/SMS/emergency) and Diameter (4G and most 5G roaming)—plus (in STA2) direct device/SIM interaction via a specially formatted SMS. This is not a single CVE; the “vulnerability” is the trust-based roaming ecosystem + incomple...
🔧 Technical Details
Cross-protocol signalling pivoting (SS7 ↔ Diameter) enabled by “combined attach”: When roaming devices can register concurrently on 3G and 4G (combined attach), an attacker with signalling access can alternate SS7 and Diameter operations to bypass partial firewall coverage. Practically, this means trying SS7 queries (e.g.,
sendRoutingInfoForSMfor IMSI discovery,provideSubscriberInfobursts for location state, then escalating toanyTimeInterrogation) and, if blocked, switching to Diameter messages (e.g.,Insert-Subscriber-Data-Request) that request location-related attributes (TAI/ECGI, RAT type, local time zone). The pivot increases success probability because operators often deploy uneven protections across SS7 vs Diameter.SS7 surveillance injection using operator Global Titles + entry-point discovery via OPC/IR.21 mismatch: SS7 messages route by GT and traverse STPs. Because SS7 lacks strong source authenti...
🤖 Agent Actions
I’m mapping the repo first and then I’ll read the most relevant telecom, mobile, and network pages before deciding whether this belongs in an existing file or needs a new one.
There is already a dedicated telecom-network-exploitation.md, so I’m checking that first and comparing it with neighboring network and mobile pages to avoid duplicating techniques already documented elsewhere.
The existing telecom page is already the right scope. I’m now checking whether SS7, Diameter, and SIM/SMS tracking techniques are missing there versus being covered elsewhere, so the update stays in one file and avoids overlap.
I’ve confirmed the destination file and the main gap: the page covers GTP and some 5G control-plane issues, but it does not yet cover SS7/Diameter roaming abuse, cross-protocol attach pivots, or hidden SIM-command SMS tracking.
I have enough source detail now. One last pass is checking whether HackTricks already documents OTA/SIM-command SMS mechanics elsewhere, because that determines how specific I can be without creating overlap.
I’m patching the existing telecom page now. The change will stay in that single file, broaden the page scope from GTP-only roaming abuse to include SS7/Diameter signalling tradecraft, and append a compact detection-focused section plus the new reference.
Updated telecom-network-exploitation.md in place. I kept everything in that single file and added a new section covering SS7/Diameter roaming surveillance tradecraft: combined-attach SS7↔Diameter pivoting, SS7 GT abuse with
OPCvsIR.21mismatch analysis, DiameterOrigin-Host/Origin-Realm/Route-Recordroute steering, signalling artefact fingerprinting (TID/Session-Idreuse), and hidden SIM/UICC SMS-based tracking. I also broadened the page title so the scope matches the content and appended the Citizen Lab article to## References.Verified with
git diff,sed, andrgthat the content landed once, the references section is still at the end, and no extra files or links were needed.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.