Citizen Lab’s 192nd report, published April 23, 2026, identifies three telecom carriers (019Mobile, Sure/Airtel Jersey, and Tango Networks UK) as recurring entry-and-transit points for two distinct surveillance campaigns. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) The structural finding is more consequential than the carrier names: even when a target’s home network runs Diameter with 3GPP protections in place, the roaming architecture allows transit carriers to force a fallback to SS7, collapsing the security assumptions of anyone who believed upgrading to 4G/5G had closed the signaling exposure. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
Two Campaigns, Three Carriers
The report, authored by Gary Miller and Swantje Lange, documents two surveillance-vendor campaigns the researchers designate STA1 and STA2. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
STA1 targeted a “VVIP” subscriber (a well-known company executive at a Middle East operator) on November 25, 2024. The attack used coordinated SS7/Diameter protocol switching across 11 spoofed operator identities spread across 9 countries. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) The breadth of that identity spoofing is not incidental; it reflects deliberate operational tradecraft to obscure the signaling origin.
STA2 is technically distinct. It combined SIMjacker (a zero-click SMS exploit that invokes the S@T browser running on the target’s SIM card) with malformed Diameter Authentication-Information-Request probes carrying a Visited-PLMN Id value of 0000. That attack routed through Jersey Airtel infrastructure in February 2025. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
What connects the two campaigns is the set of transit carriers through which attack traffic consistently passed.
How the Combined Attach Procedure Breaks the ‘Diameter Is Safer’ Assumption
The combined attach procedure is the mechanism defenders need to understand. When a roaming device registers simultaneously on 3G and 4G networks, it carries dual registration state. An attacker who hits a Diameter check on the 4G path and finds it blocked does not need to give up; they pivot to the SS7 path through the same transit carrier. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors)
This is not a theoretical edge case. Citizen Lab observed STA1 executing exactly that pivot: Diameter probes first, SS7 fallback when Diameter rejected the query. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) The home network’s Diameter deployment was operational. The 3GPP protections were present. They failed to stop the attack because the roaming topology gave the attacker an alternate path.
The implication for carriers presenting Diameter deployments to regulators as evidence of SS7 remediation: the attestation needs to cover what the roaming partner can do, not just what the home network blocks at its own edge.
The Three Entry-and-Transit Points
019Mobile is an Israeli MVNO operating under the Telzar 019 brand, and is the sole supplier of inbound and outbound roaming at Israel’s international airport, a detail that places it on the path of high-value travelers. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) The carrier’s response was not a flat denial but a non-confirmation: it told reporters it “cannot confirm” that the infrastructure Citizen Lab identified belongs to it. [Updated June 2026] (Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say) A non-confirmation is a weaker rebuttal than a denial, and worth noting as a data point for how regulatory follow-up is likely to proceed.
Airtel Jersey/Sure operates in the Channel Islands and is part of the Beyon Group, which is Bahrain state-controlled. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) The STA2 SIMjacker campaign routed through Jersey Airtel infrastructure in February 2025. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) Sure CEO Alistair Beak said the company “does not lease access to signalling directly or knowingly to organisations for the purposes of locating or tracking individuals” and that it monitors and blocks inappropriate signaling. [Updated June 2026] (Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say) The qualifier “knowingly” is load-bearing: it concedes that leased-out signaling access can be abused without the host carrier’s awareness, which is the entire GT-leasing problem stated as a defense.
Tango Networks UK is a UK subsidiary of Texas-based Tango Networks Inc. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
All three appear as recurring nodes in the surveillance traffic graph: consistent access infrastructure across campaigns with different tooling and different targets, not one-time anomalies.
The carrier-level view, however, is not where the full attack surface sits. Below the carrier sits the Global Title (GT) leasing layer.
GT Leasing Governance Is the Unpatched Hole
A Swedish MVNE called Telenabler AB leased GT 467647531812. That single GT generated over 1,700 privacy attacks between October 2023 and April 2025, with more than 92% of its traffic attributable to location tracking. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
GT leasing (the practice of mobile network enablers subletting Global Title addresses to third parties) is the mechanism that gives surveillance vendors a signaling identity without owning or operating a real network. It is also the mechanism that is essentially ungoverned at the international level.
The GSMA published a Code of Conduct for GT Leasing. Two years after publication, it has drawn no signatories of consequence. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) The UK implemented GT restrictions that have not been replicated in other jurisdictions. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide) That leaves the interconnect graph with a self-governance structure that has produced no measurable compliance.
Telenabler AB’s GT generated its traffic over an 18-month window, across thousands of queries, before the Citizen Lab report named it. The volume argues against the possibility that this traffic was overlooked by accident.
What the FCC Asked For, and What Carriers Actually Need to Do
The FCC’s Public Safety and Homeland Security Bureau issued DA-24-308 in March 2024, requesting comment on how communications service providers were implementing security countermeasures against SS7 and Diameter vulnerabilities; comments were due April 26, 2024. (Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors) What the proceeding produced in terms of enforceable requirements is not yet established from the brief’s sources.
What the Citizen Lab report implies for that regulatory question is fairly specific. Protocol upgrades (moving from SS7 to Diameter) are insufficient on their own when the roaming architecture preserves SS7 fallback. The two controls that would have materially affected the campaigns documented in “Bad Connection” are:
Signaling firewalls at the interconnect boundary, capable of detecting and blocking anomalous location queries regardless of which protocol layer they arrive on. A signaling firewall that only inspects Diameter while passing SS7 does not close the combined-attach path.
Inter-carrier attestation for GT identity. When a query arrives from a leased GT, the receiving carrier currently has limited ability to verify that the originating entity is who the GT implies. A credentialed attestation layer (analogous in concept to STIR/SHAKEN for caller ID, though the implementation would differ significantly) would raise the cost of using leased GTs as surveillance infrastructure.
Neither of these is a protocol upgrade. Both require coordination across carriers and across regulatory jurisdictions, which is precisely why the GSMA’s self-governance attempt has attracted no signatories of consequence.
What This Means for 5G and Future Roaming Architecture
The 5G SA (standalone) architecture uses HTTP/2-based signaling (N32 interface) and eliminates the SS7 layer for network-to-network interconnect. For networks that have completed full SA deployment, the combined-attach fallback path does not exist in the same form.
The problem is the migration timeline. NSA (non-standalone) 5G, which uses LTE as the control plane anchor, preserves the 4G/3G dual-registration model and with it the Diameter/SS7 pivot path. NSA deployments represent the current state of most 5G commercial rollouts as of early 2026. A network operator that has deployed NSA 5G and bills this as a security improvement over pure LTE is making a claim that the combined-attach analysis does not support.
For carriers receiving regulatory pressure in the wake of FCC DA-24-308 and the “Bad Connection” report, the honest answer to “what does your SS7 remediation look like” requires disclosing not just their own signaling architecture but their roaming partners’ GT leasing practices and their own signaling firewall coverage across all protocol layers. The Citizen Lab report shows that the answer confined to the home network’s own stack is an incomplete answer.
019Mobile’s denial of the findings means the named carriers will not self-correct based on the report. The governance gap at the GT leasing layer means the interconnect graph will not self-correct either. That leaves signaling firewalls deployed at carrier edges and regulatory action on GT leasing as the remaining levers. The GSMA’s two-year-old Code of Conduct with no signatories of consequence is the benchmark for how quickly the industry moves when the lever is voluntary. (New Investigation Finds Israel, UK and Jersey Telcos Enable Spying on Phones Worldwide)
Frequently Asked Questions
Does SIMjacker still work on phones with modern SIM cards, or is it limited to older hardware?
SIMjacker exploits the S@T Browser application, which is present on SIM cards issued by carriers that chose to include it, the vulnerability is a SIM provisioning decision, not a handset one. Modern flagship phones are irrelevant to the attack vector: the S@T Browser runs on the SIM’s own processor. Carriers that have never provisioned S@T Browser on issued SIMs are not exposed; those that have legacy SIM stock in circulation remain vulnerable regardless of the subscriber’s device generation.
How does the GT leasing problem compare to the STIR/SHAKEN rollout the FCC mandated for voice caller ID?
STIR/SHAKEN required an FCC mandate and multi-year carrier deadlines before adoption rose at all, voluntary industry commitments produced negligible uptake beforehand. The GSMA GT leasing Code of Conduct mirrors the pre-mandate state: published, technically sound, and two years in with no signatories of consequence. The structural difference is jurisdictional: STIR/SHAKEN applied to US carriers under FCC authority, while GT addresses are allocated internationally, meaning no single regulator can impose a compliance deadline on the full leasing ecosystem the way the FCC could for US VoIP attestation.
What would a carrier need to budget or change operationally to deploy a signaling firewall that covers both SS7 and Diameter simultaneously?
A dual-protocol signaling firewall requires a dedicated SS7/Diameter security gateway (typically a separate hardware or virtualized appliance from vendors such as Mobileum, Cellusys, or P1 Security) with real-time rule sets updated for known surveillance GT ranges, a subscription cost on top of the appliance. The operational burden is maintaining correlated alerting across both protocol layers, because an anomalous Diameter probe followed immediately by an SS7 location query from the same originating GT is the combined-attach pivot pattern; a single-protocol firewall that does not correlate across layers will not flag it. Carriers on NSA 5G architectures must also ensure the firewall sits at the S6a/MAP boundary, not just the Diameter edge.
Which jurisdictions outside the UK have taken any binding action on GT leasing, and what happened in those cases?
As of the Citizen Lab report’s April 2026 publication date, the UK’s GT restrictions remain the only known binding national-level action on GT leasing. No other jurisdiction in the research brief is documented as having enacted equivalent rules, and the brief explicitly states the UK restrictions ‘have not been emulated elsewhere.’ The GSMA Code of Conduct remains the only multilateral instrument and carries no enforcement mechanism, which is why the Telenabler AB GT was able to generate over 1,700 attack queries across an 18-month window without triggering a compliance response.
At what point in the 5G transition does the combined-attach fallback risk actually disappear for a given carrier?
The risk disappears only when a carrier completes full 5G Standalone (SA) deployment and retires NSA operation entirely, SA uses the N32 HTTP/2 interface for network-to-network interconnect, which has no SS7 layer to fall back to. The intermediate states (NSA 5G anchored to LTE, or any network still running a 3G UMTS layer for coverage) all preserve combined attach and with it the Diameter/SS7 pivot path. A carrier that has deployed SA cores but maintains NSA for rural coverage or roaming interoperability is still exposed on those connections, so the transition is not binary at the network level even after SA is commercially launched.
What Has Surfaced Since Publication [Added May 2026]
Two developments in the weeks following the original Citizen Lab report:
Carrier response asymmetry, with one correction. Citizen Lab sent the original disclosure letters on April 17, 2026, six days before publication, to 019Mobile, Airtel Jersey/Sure, and Tango Networks UK. Two of the three engaged. [Updated June 2026] 019Mobile issued a non-confirmation (“cannot confirm” the infrastructure is theirs), and Sure, the Airtel Jersey owner, issued a denial-with-qualifier through its CEO. Tango Networks did not respond to requests for comment. (Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say) The pattern that matters is not silence versus statement but the shape of the statements: neither responding carrier asserted that the documented traffic did not pass through its network. They contested ownership and intent, not the existence of the signaling. In a sector where reputation is partial protection against state-action escalation, that posture favors GSMA-level governance pressure over carrier-level remediation, because nobody is claiming the underlying access does not exist.
Independent coverage echoes the technical findings. TechCrunch, The Record, TechRadar, and several security-trade outlets have covered the report. None has so far produced contradictory technical analysis; the combined-attach fallback mechanism and the GT-leasing governance gap have been treated as accurate technical claims rather than contested findings. The narrative center of gravity has shifted from “is this real?” to “what does enforcement actually look like?”, which is the productive policy question.
The regulatory next step remains unsettled. As of late June 2026, two months after publication, no new binding action has been announced. [Updated June 2026] The FCC has not issued an updated DA in response to “Bad Connection,” and no other national regulator has emulated the UK’s GT leasing restrictions. The agency’s 2026 signaling-security activity has run on a separate track (caller-ID and “silent blocking” rules for domestic voice fraud), which does not touch the cross-border GT-leasing layer where the surveillance traffic originated. This continues the pattern the original article documented: the technical findings are clear, the governance levers are voluntary, and the voluntary levers attract nobody who matters.
The Provenance Question, and Why Attribution Stops at the Edge
Citizen Lab named carriers, not the surveillance vendor. The report routes the STA1 and STA2 traffic to its likely origin through signaling analysis, and reporting on the investigation has noted evidence pointing to an Israeli company behind at least one campaign, but the actor is not formally identified. (Surveillance companies exploiting telecom systems to track location) This is the structural limit of signaling forensics. The data shows which Global Titles issued queries and which carriers passed them; it does not show who rented the GT. The leasing chain (MNO to MVNE to reseller to end customer) is contractual, not visible in the SS7/Diameter packets, and the contracts are private. That gap is why “name the vendor” is the wrong demand to make of this kind of investigation, and why governance has to attach to the leasing transaction rather than to the eventual abuser, who is several opaque hops downstream.
This is the same accountability inversion that location-data enforcement has run into elsewhere. When regulators went after the data broker selling sensitive location data, the pressure point was the entity packaging and selling the data, not the thousands of apps that collected it. GT leasing has no equivalent chokepoint yet, because the GSMA Code of Conduct that would create one has no teeth.
The Combined-Attach Mechanism, in More Detail
The article’s central claim deserves a precise restatement, because the popular coverage gets the direction inconsistent. Some reporting describes the attackers hitting SS7 first and falling back to Diameter; the Citizen Lab observation of STA1 is a coordinated switch in either direction across 11 spoofed operator identities, exploiting whichever path is unguarded. [Updated June 2026] The defensive lesson is unchanged by the ordering: a single-protocol firewall is a single-protocol firewall, and the attacker probes both planes.
The reason both planes stay reachable is the attach procedure itself. When a roaming handset registers on a visited network, a combined attach establishes state in both the MME (the 4G/Diameter control node) and the MSC/VLR (the legacy 2G/3G circuit-switched node) at once, so the subscriber can take a circuit-switched voice call while data rides LTE. That dual state is a feature for fallback voice, and it is the hole. A location query that the MME would reject under Diameter’s Visited-PLMN checks can be reissued as an SS7 MAP provideSubscriberInfo or anyTimeInterrogation against the VLR, which has no equivalent origin check unless the operator bolted one on. The malformed Visited-PLMN Id of 0000 in the STA2 traffic is the tell: it is an attempt to slip past the Diameter-side validation that is supposed to confirm the query comes from a network the subscriber is actually roaming on.
This is why “we deployed Diameter” is not a remediation claim. Diameter closed some of the SS7 trust-by-default holes on the packet-switched plane. It did nothing to the circuit-switched plane that combined attach keeps live. For a deeper read on the carrier-accountability framing the same report set off, see Groundy’s earlier piece on how Citizen Lab named three telcos as persistent entry points.
What a Subscriber Can Actually Do
Almost nothing, which is the uncomfortable part. The exposure lives in the interconnect between carriers, below any setting a handset exposes. Disabling 2G on the device (available on recent Android and iOS) removes the circuit-switched fallback path for that handset’s own traffic, but it does not stop a network-side provideSubscriberInfo query that resolves location from the VLR the subscriber is registered against. The realistic mitigations are all operator-side: a signaling firewall that inspects SS7 MAP and Diameter at the same boundary and correlates across them, category-2/category-3 filtering of inbound location queries per GSMA FS.11/FS.19 guidance, and refusing to honor anyTimeInterrogation from interconnect partners that have no business asking. High-risk individuals fall back to operational measures (secondary numbers, profiles that disable location-bearing supplementary services), which is an admission that the network layer is not going to protect them.