Israeli Telecom Infrastructure Exploited for Global Surveillance Across Ten Countries
Citizen Lab investigation reveals how mobile operator networks became platforms for mass location tracking, exposing systemic vulnerabilities in global telecommunications architecture.
Israeli telecommunications infrastructure was used to track citizens in more than ten countries over the past three years, according to an investigation published by Haaretz citing research from digital rights group Citizen Lab. The disclosure positions telecom operator networks as a primary vector for covert surveillance, exploiting signalling protocols designed for international connectivity to enable location tracking at scale.
The breach centres on 019Mobile, a privately owned Israeli mobile operator operating under the brand ‘Telzar 019.’ Network traffic analysis by Citizen Lab identified 019Mobile infrastructure as both an originating network and intermediary node for 4G Surveillance attempts, with Route-Record identifiers showing the operator’s hosts as the first-hop proxy for traffic positioned to enable location tracking. The operator’s infrastructure appeared repeatedly in Diameter protocol surveillance attempts — the signalling system that manages authentication and routing across mobile networks.
“We’re not talking about a few spyware attempts. These are massive, massive amounts of unauthorized traffic and 90 plus percent of them are being generated by third parties accessing the mobile signaling environment.”
— Gary Miller, Citizen Lab Researcher
Scale and Attribution Challenges
The surveillance campaigns documented by Citizen Lab exploit SS7 and Diameter protocols — legacy systems that prioritise service availability and roaming revenue over security. Researcher Gary Miller described the traffic volume as “massive,” with over 90% generated by third parties accessing mobile signalling environments without authorisation.
Attribution remains fragmented. Citizen Lab’s technical investigation links the surveillance activity to commercial vendors operating through Israeli infrastructure, but the opaque nature of telecom signalling protocols prevents definitive identification. Analysis cited by Gblock assesses the primary vendor as likely an Israeli-based commercial geo-intelligence provider, though no single entity has been conclusively identified.
Mobile networks comprise over a thousand operators interconnected through roaming agreements. Signalling protocols like SS7 (2G/3G) and Diameter (4G/5G) manage authentication, billing, and routing across borders. These systems were designed for efficiency and interoperability, not security — any operator with legitimate network access can query location data for roaming subscribers. Commercial surveillance vendors exploit this design by establishing presence within operator infrastructure, issuing queries that appear routine but serve tracking purposes.
Institutional Precedent and State Oversight Gaps
The Citizen Lab findings emerge against a backdrop of established Israeli institutional surveillance capabilities. In January 2026, a state comptroller report found that Israel Police had used intrusive technology for years, hacking private devices and extracting information unlawfully, according to Haaretz. That disclosure preceded a September 2025 Amnesty International report revealing that Unit 8200, Israel’s military intelligence division, had operated a surveillance system on Azure Cloud that collected and analysed millions of civilian phone calls from Gaza and the West Bank.
Israel maintains the highest per-capita concentration of surveillance companies globally, with Privacy International identifying 27 firms — at least eight founded or led by Unit 8200 veterans. The telecom infrastructure exploitation documented by Citizen Lab represents a structural evolution: rather than deploying malware to individual devices, vendors now leverage operator networks themselves as surveillance platforms.
Architectural Vulnerabilities as Design Features
The vulnerabilities are not software bugs or misconfigurations. They are inherent to global Telecommunications architecture. Mobile ecosystems comprising over a thousand operators interconnected through roaming agreements prioritise efficiency, service availability, and revenue opportunity over security, according to Citizen Lab’s technical assessment. An operator in one jurisdiction can query subscriber location data from another through legitimate signalling channels — the same pathways exploited for surveillance.
Citizen Lab researchers Gary Miller and Swantje Lange concluded that operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate. Despite repeated public reporting, the activity continues unabated and without consequence.
- Telecom infrastructure now functions as a third surveillance vector alongside signals intelligence and device-level malware
- Commercial vendors operate within legitimate network architecture, complicating attribution and enforcement
- International regulatory frameworks lack mechanisms to audit or restrict cross-border signalling traffic
- Operator business models incentivise interconnection and roaming revenue over security hardening
Regulatory Vacuum and Attribution Opacity
The Citizen Lab disclosure highlights a regulatory gap: telecom signalling traffic crosses borders continuously, but no international framework governs how operators audit, restrict, or attribute queries within their networks. National regulators oversee spectrum allocation and consumer protection but lack visibility into signalling-layer surveillance. The result is an enforcement vacuum where commercial vendors operate through shell companies and intermediary infrastructure, issuing queries that blend with legitimate roaming traffic.
Ron Deibert, director of Citizen Lab, noted that known surveillance vendors and bad actors operate in this space, but the opaque nature of telecommunications signalling protocols allows them to function without revealing their true identity. The 019Mobile case demonstrates how a single operator can serve as an entry point and transit hub for surveillance traffic targeting multiple jurisdictions, with limited accountability or oversight.
What to Watch
The investigation creates pressure for telecom operators to implement signalling traffic monitoring and anomaly detection, though business incentives favour interoperability over security restrictions. GSMA, the industry body representing mobile operators, has published security guidelines for SS7 and Diameter protocols since 2016, but adoption remains voluntary and inconsistent across the thousand-plus global operators. Regulatory response will likely focus on mandating traffic audits and query authentication, though enforcement mechanisms remain unclear for cross-border signalling.
The Israeli government faces questions over whether it sanctioned or tolerated the use of domestic telecom infrastructure for international surveillance operations. The precedent of Unit 8200’s cloud-based surveillance and the state comptroller’s findings on police spyware abuse suggest institutional oversight failures extend beyond individual agencies. Whether Israel implements restrictions on commercial surveillance firms using domestic operator networks as platforms — or defends such activity as aligned with national security interests — will signal its position on the emerging regulatory debate over infrastructure-enabled mass surveillance.