China reportedly spying on 'tens of thousands' of Americans via cellphones

A man wearing a hoodie looks at a smartphone against a backdrop of a Chinese flag overlaid with 'Matrix'-like streams of digits.
(Image credit: Jakub Krechowicz/Shutterstock)

China has been using telephone companies in the Bahamas and Barbados to spy on "tens of thousands" of American citizens, a mobile-phone security expert told Britain's Guardian newspaper.

"The attacks qualify as mass surveillance, which is primarily for intelligence collection and not necessarily targeting high-profile targets," said Gary Miller, founder of Exigent Media, a Seattle-area media-production company specializing in cybersecurity issues. "These occur primarily while people are [traveling] abroad."

The Guardian article does not get into technical details, but a two-part report entitled "Far from Home" posted on the Exigent Media website makes clear that Miller is talking about abuses of the Signaling System 7 (SS7) telephone-signaling network and its successor, the Diameter signaling protocol. 

The report details "a comprehensive vision into foreign surveillance attacks and cyber espionage threat activity against U.S. mobile phones."

"No one in the [telecommunications] industry wants the public to know the severity of ongoing surveillance attacks," Miller, who spent a decade in the mobile-security industry, told the Guardian. "I want the public to know about it."

Exploiting SS7 to spy on users 

The SS7 system allows landlines and mobile phones anywhere in the world to find, dial and send text messages to each other by creating a shared interface among the hundreds of independent phone companies worldwide.

Because calls placed to mobile phones need to geographically locate the phones before establishing a voice connection, SS7 can be used to find mobile-phone owners and track their movements. 

SS7 can also be abused to silently forward calls and text messages to other numbers without the intended recipient's knowledge, making it a powerful if unintentional surveillance tool.

Access to SS7 is supposed to be strictly controlled, but many state-owned telecoms must comply with the demands of authoritarian governments, and some telecoms in small or poor countries may be tricked or cajoled into providing access to third parties.

"Mobile networks transport millions of attack messages on a monthly basis," Part 1 of Exigent's Far from Home report, covering 2018 and 2019, says. "Massive volumes of cyber espionage activity have occurred for years and continues to this day."

We'd normally tell you how to protect yourself from this kind of attack, but the fact is that SS7, Diameter and similar protocols are built right into the telephone network itself. They're what makes calls between people using different phone carriers possible.

The only way to avoid being tracked via your mobile phone is to turn it off and take out the battery. If you can't remove the battery, then put it in a Faraday bag or, as in the 1998 movie "Enemy of the State," an empty metal-foil potato-chip bag. (Russian information-security firm Kaspersky says the two-bag method works best.)

The Caribbean connection

The Exigent report says that while many countries, including many U.S. allies, and even some organized-crime groups, use SS7 to passively track individuals, Chinese attackers are actively manipulating the SS7 communications on the mobile phones of Americans traveling outside the U.S. to better harvest calls and text messages.

Miller said most of the active SS7 surveillance he observed in 2018 — 85%, according to the Far from Home report — was facilitated through China Unicom, one of three state-owned telephone service providers in mainland China. 

But he told the Guardian that in 2019, a much larger share of Chinese SS7 activity was made possible via two telephone companies in the Americas: Cable & Wireless on the Caribbean island of Barbados, operating under the brand name Flow, and the Bahamas Telecommunications Company (BTC), a joint venture between Cable & Wireless and the Bahamian government.

Cable & Wireless is an American-owned British company with operations in Miami. Contacted by Tom's Guide, a Cable & Wireless spokesperson provided the following statement.

"Across all the markets where Cable & Wireless Communications and Flow operate, including The Bahamas, we continuously monitor our networks and have robust security policies and protocols in place to protect the data of our customers. We take our commitment to data protection seriously and are carefully reviewing the information in the Guardian article."

Telecoms in the English-speaking Caribbean and the Bahamas are part of the same phone-numbering and dialing system as phone companies in the U.S. and Canada, making them useful to foreign spies targeting the U.S. 

Americans calling people in the English-speaking Caribbean, and vice versa, do not need to prefix calls with the "011" international-call prefix. They instead can dial the numbers like any other number in the U.S. or Canada.

Telecoms may not know they're being abused

The Exigent report implies that telecoms such as Cable & Wireless and the Bahamas Telecommunications Company may not be aware of possible abuse of their networks by foreign entities.

"In remote island countries and developing nations, it is common for the network operator in those countries to sell the use of its network by leasing a network address called an SS7 Global Title (GT)," the report says. 

"Through the use of a network connection and a foreign operator's GT address, the threat actor can access any network to which that operator has a roaming agreement."

A separate Guardian story published the day after its report on Miller's findings detailed how a telecom on Guernsey, one of the British Channel Islands, had been abused by an Israeli private-intelligence firm to gain access to the SS7 network for purposes of surveillance. 

The Channel Islands are tiny quasi-independent islands off the northern coast of France that fall under the jurisdiction of the British monarch but are not part of the United Kingdom.

Exigent's report also details abuse of the SS7 and Diameter systems involving telecom operators in Mexico, Canada, Russia, the European Union, the Palestinian territories, Switzerland, Hong Kong and several African countries, as well as in other islands and territories in the English-speaking Caribbean. 

"The implications associated with active mobile network surveillance threats in 2020 should be seen as a troubling sign for U.S. mobile network operators and U.S. policymakers in the future," concludes Part 2 of Exigent's Far from Home report. 

"While vulnerabilities are very well known within the mobile operator industry and among U.S. policymakers, there has been little action to restrict foreign surveillance activity."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.