Hackers can use the technology that enables mobile phone roaming to pinpoint user locations and track people around the world, a new report from the University of Toronto Citizen Lab has claimed.
The researchers argue that the underlying technology is so riddled with holes that it practically invites malicious actors to exploit it, which could be either illegal organizations or nation states.
“Foreign intelligence and security services, as well as private intelligence companies, often seek to obtain location information, as do domestic state actors such as law enforcement agencies,” the paper said. “Notably, the methods available to law enforcement and intelligence agencies are similar to those used by the illegitimate actors and allow them to obtain the geolocation information of individuals with a high degree of secrecy.”
IP exchange
The vulnerability that Citizen Lab researchers highlighted is in the IP Exchange (IPX), a network that helps telecom companies exchange data about their customers. According to the report, more than 750 mobile networks in nearly 200 countries around the world use it. Furthermore, the companies can sell (and resell) access to the IPX, meaning the total number of users is likely much, much larger.
None of this is visible to the end user.
This is not purely theoretical either. Citizen Lab has found multiple examples of how the network has been abused, from Vietnam to the African continent. One specific case describes “likely state-sponsored activity” that was used to identify behavioral patterns of users in Saudi Arabia traveling to the United States.
The researchers did not blame any single company or country, but rather said this is the fault of the entire telecommunications industry, which does not have proper security standards, and of lawmakers, as there is an acute lack of legal or regulatory consequences .