Tracking Over the SIM Network: An Analysis of Mechanisms
This analysis examines the distinct ways that the cellular/SIM network infrastructure itself can be used to track individuals. Each mechanism exploits a different layer of the network architecture, from core signaling protocols to the SIM card hardware to the commercial relationships between carriers and data brokers.
1. SS7 Protocol Exploitation
Signaling System No. 7 (SS7) is a set of telephony signaling protocols developed in the 1970s that underpins call routing, SMS delivery, and subscriber authentication across the global public switched telephone network [1]. SS7 was designed as a closed, trusted system between cooperating carriers. It was never built with authentication or access control between network operators [2].
The core tracking mechanism works as follows: SS7 allows any operator on the network to query another operator’s Home Location Register (HLR) and Visitor Location Register (VLR) databases to determine which cell tower a subscriber’s phone is currently connected to [3]. This was designed for legitimate roaming and billing purposes, but because the protocol lacks authentication, anyone who gains access to the SS7 network can issue these queries for any subscriber worldwide.
SS7 vulnerabilities were publicly reported as early as 2008 and demonstrated by German security researchers in 2014, who showed tracking was possible with approximately 70% success rates [1]. In 2017, the German mobile operator O2 Telefónica confirmed that SS7 vulnerabilities had been exploited to bypass two-factor authentication and drain bank accounts [1]. As recently as late 2024, Enea’s Threat Intelligence Unit detected a surveillance vendor in the Middle East exploiting a novel SS7 bypass technique that manipulated the TCAP (Transaction Capabilities Application Part) layer using obscure “extended tag encoding” to evade SS7 firewalls [4][5]. The attack could locate a subscriber to the nearest cell tower, which in dense urban areas narrows to a few hundred meters [4].
SS7 tracking is not limited to 2G/3G networks. The successor protocol for 4G networks, Diameter, inherits many of the same architectural vulnerabilities because LTE networks frequently interwork with SS7 for fallback services, and the trust model between operators persists [6]. The GSMA estimated in 2021 that 30% of mobile connections still used 2G/3G access [2], and SS7 tracking will remain viable as long as these networks operate.
The U.S. Department of Homeland Security confirmed as early as 2017 that China, Iran, Israel, and Russia had all exploited SS7 to surveil U.S. mobile subscribers [4]. The FCC began publicly addressing SS7 security in 2024, requesting information from carriers about incidents and defenses [7].
2. Cell-Site Simulators (IMSI Catchers / Stingrays)
Cell-site simulators (CSS), also known as IMSI catchers or by the Harris Corporation brand name “Stingray,” are devices that impersonate legitimate cell towers to force nearby phones to connect to them [8]. They exploit the design feature in cellular protocols whereby mobile devices connect to whichever tower presents the strongest signal.
There are two categories. Passive IMSI catchers intercept cellular transmissions from the air without transmitting, analogous to an FM radio receiver. Active cell-site simulators broadcast signals stronger than nearby legitimate towers, forcing phones to connect and reveal their IMSI (International Mobile Subscriber Identity) numbers, IMEI (device identifiers), and location [8].
Once a target phone connects, the operator can determine its precise location via signal strength measurements. If the target IMSI is known, the operator screens incoming connections against it. If the target is unknown, the simulator collects identifiers from every phone in range, then the operator cross-references this with visual surveillance to isolate a specific individual [9].
Modern CSS can also force protocol downgrades. Because 4G/LTE devices have stronger authentication, some IMSI catchers reject tracking area update requests, forcing the target phone to fall back to less-secure 2G, where encryption can be defeated and communications intercepted [10]. Harris Corporation products in this category include the StingRay, Hailstorm, ArrowHead, AmberJack, and KingFish (a hand-carried version) [8]. These devices can be mounted in vehicles, on aircraft, helicopters, and drones [11].
In the United States, CSS have been deployed by the FBI, U.S. Marshals Service, ICE, DHS, and the Secret Service, often without warrants and sometimes without disclosing their use to courts [8][12]. A 2023 Congressional Oversight Committee report found that ICE, DHS, and the Secret Service had all used CSS many times without following their own rules [8]. The EFF released an open-source detection tool called Rayhunter in 2025, which runs on an inexpensive mobile hotspot and monitors for indicators of CSS activity [13].
The international dimension is significant. Between February 2015 and April 2016, over 12 companies in the UK were authorized to export IMSI catcher devices to Saudi Arabia, the UAE, and Turkey [11]. CSS have been documented in use in Canada, Ireland, and numerous other countries [11].
3. Cell Tower Triangulation and Cell-Site Location Information (CSLI)
Whenever a phone is powered on, it connects to nearby cell towers and generates time-stamped cell-site location information (CSLI) that carriers store for billing and network management purposes [14]. This happens continuously, whether or not the user is making a call, and constitutes a persistent location record.
Carriers can locate a phone using several methods: single-tower identification (placing the phone within the tower’s coverage area, which ranges from a few blocks in urban areas to over 20 square miles rurally); triangulation using signal strength from multiple towers; and GPS-assisted pinging, which can locate a phone to within 5-10 feet [15].
CSLI comes in two forms. Historical CSLI reconstructs past movements from stored records. Prospective (real-time) CSLI tracks current location, sometimes by “pinging” the phone to force it to report its position [15].
There are important reliability caveats. The assumption that a phone connects to the nearest tower is not always accurate. Carrier algorithms consider network congestion, tower capacity, geography, weather, and other factors when assigning connections [16]. This has led to wrongful convictions, as in the case of Lisa Marie Roberts in Oregon, who pled guilty to manslaughter in 2004 partly based on cell tower evidence that an appellate court later found scientifically unreliable [16].
In Carpenter v. United States, 585 U.S. 296 (2018), the Supreme Court ruled 5-4 that obtaining seven or more days of historical CSLI constitutes a Fourth Amendment search requiring a warrant based on probable cause [14]. The government had obtained 12,898 location points over 127 days for the defendant — an average of 101 data points per day — without a warrant [17]. Chief Justice Roberts wrote that CSLI provides the government with something akin to an ankle monitor attached to the phone user [18]. The decision was narrow, however, and explicitly did not address real-time CSLI, tower dumps, or national security contexts [14].
4. Carrier Data Sales to Aggregators and Brokers
The major U.S. carriers — AT&T, Verizon, T-Mobile, and Sprint — sold real-time subscriber location data to data aggregation companies, principally LocationSmart and Zumigo, who in turn resold it downstream to a wide variety of customers [19][20].
This came to public attention in 2018 when the New York Times reported that Securus Technologies, a prison communications company, had been providing a location-finding service to law enforcement that could locate any phone on the major U.S. networks [19]. A former sheriff in Missouri used the service to track a judge and other law enforcement officers without warrants [20]. Securus obtained its data through 3CInteractive, which sourced it from LocationSmart [21].
A Carnegie Mellon University researcher, Robert Xiao, then discovered that LocationSmart’s public demo website had an API vulnerability that allowed anyone to bypass authentication and geolocate any phone on AT&T, Sprint, T-Mobile, or Verizon — using nothing but a phone number [19]. Subsequent reporting by Motherboard found that LocationSmart was also selling data through a company called CerCareOne to bounty hunters and bail bondsmen [22].
Verizon disclosed that approximately 75 companies had been obtaining its customer location data through LocationSmart and Zumigo [20]. All four carriers announced they would terminate their aggregator relationships in mid-2018, but the FCC found they continued selling data for nearly a year afterward [23]. In a separate case, a Deputy U.S. Marshal named Adrian Pena was charged for using the Securus service between 2016 and 2017 to track personal acquaintances and their spouses by uploading fabricated legal documents [24].
In April 2024, the FCC fined the carriers a combined approximately $200 million: T-Mobile $80 million, AT&T $57 million, Verizon $47 million, and Sprint $12 million [23]. The carriers stated they intend to appeal [23].
The fundamental structural problem, as Brian Krebs noted, is that even with phone-level location and privacy settings disabled, a carrier must still track which tower serves a phone for the network to function — and there is no way for a subscriber to opt out of this [25].
5. SIM Card Software Exploitation (Simjacker)
In 2019, AdaptiveMobile Security disclosed a vulnerability dubbed Simjacker that attacks the SIM card itself [26]. The exploit targets the S@T Browser (SIMalliance Toolbox Browser), a legacy application embedded on SIM cards since the early 2000s that was originally designed to enable carrier menu services. Despite not being updated since 2009, it remains installed on SIM cards used by operators in at least 29 countries across the Americas, West Africa, Europe, and the Middle East [26][27].
The attack works by sending a specially crafted binary SMS message to a target phone. The message contains SIM Toolkit (STK) instructions that are passed to and executed by the S@T Browser on the SIM card. The code instructs the SIM to query the handset for its IMEI and location, then exfiltrate this information via a second SMS to the attacker’s number [26][28]. The target user receives no notification of the incoming attack SMS, the data query, or the outgoing data message — nothing appears in any inbox or outbox [28].
AdaptiveMobile reported that a private surveillance company — which they assessed was working with governments — had been actively exploiting Simjacker since at least late 2018, tracking the location of thousands of individuals, primarily in Mexico, Colombia, and Peru [26][29]. Some targets were queried hundreds of times per week [28]. The vulnerability is device-agnostic: phones from Apple, Samsung, Google, Huawei, Motorola, ZTE, and even IoT devices with SIM cards were successfully targeted [27].
EU-CERT assessed that up to one billion devices globally could be affected [27]. Unlike SS7 attacks, which require access to the signaling network, Simjacker requires only a phone number and can be executed using a $10 GSM modem [29].
6. SIM Swapping
SIM swapping (also called SIM hijacking) is an attack in which a fraudster convinces a mobile carrier to transfer a victim’s phone number to a SIM card under the attacker’s control [30]. This is not primarily a tracking mechanism, but it enables tracking and broader surveillance by giving the attacker control over all calls and SMS messages directed to the victim’s number.
Once in control, the attacker can intercept SMS-based two-factor authentication codes, reset passwords for email, banking, and cloud accounts, and monitor all incoming communications [30]. For espionage and surveillance purposes, a SIM swap gives the attacker the ability to monitor the victim’s communications, track their location through services tied to their phone number, and gather information for blackmail or manipulation [31].
The FBI received 1,600 complaints about SIM swapping in 2021, with victims losing $68 million — a dramatic increase from $12 million in losses during the entire 2018-2020 period [30]. Reports to the UK National Fraud Database rose over 1,000% from 2023 to 2024 [30]. The 2019 SIM swap attack on then-Twitter CEO Jack Dorsey’s account demonstrated the technique’s viability against high-profile targets [30].
Carriers have begun implementing countermeasures such as SIM Protection locks (Verizon) and port-out freezes, but the rollout of eSIM technology has opened new attack vectors, since attackers who compromise a carrier account can initiate over-the-air profile downloads to a new device without physical access to any SIM card [32].
Summary of Tracking Dimensions
| Mechanism | Access Required | Precision | User Awareness | Scale |
|---|---|---|---|---|
| SS7 exploitation | SS7 network access | Cell-tower level | None | Global |
| Cell-site simulators | Physical proximity + device | Sub-tower level | None | Local radius |
| CSLI (carrier records) | Legal process or carrier cooperation | Tower to GPS level | None | Per-subscriber |
| Carrier data sales | Commercial relationship | Tower level or better | None | All subscribers |
| Simjacker | Phone number + GSM modem | Cell-tower level | None | Per-SIM vulnerability |
| SIM swapping | Social engineering of carrier | N/A (enables other attacks) | Victim loses service | Per-target |
A common thread across all six mechanisms: the user has no technical ability to prevent the tracking (short of powering off the phone or using a Faraday bag), and in most cases receives no indication that tracking is occurring.
Bibliography
[1] Wikipedia. “Signalling System No. 7.” [Snippet] https://en.wikipedia.org/wiki/Signalling_System_No._7
[2] TechTarget. “What is SS7 Attack?” [Snippet] https://www.techtarget.com/whatis/definition/SS7-attack
[3] Forensic Focus. “Cell Phone Tracking and SS7.” September 2023. [Snippet] https://www.forensicfocus.com/podcast/cell-phone-tracking-and-ss7-hacking-security-vulnerabilities-to-save-lives/
[4] TechCrunch. “A surveillance vendor was caught exploiting a new SS7 attack to track people’s phone locations.” July 18, 2025. [Snippet] https://techcrunch.com/2025/07/18/a-surveillance-vendor-was-caught-exploiting-a-new-ss7-attack-to-track-peoples-phone-locations/
[5] GBHackers. “Surveillance Firm Exploits SS7 Flaw to Track User Locations.” July 21, 2025. [Snippet] https://gbhackers.com/surveillance-firm-exploits-ss7-flaw/
[6] P1 Security. “Location Tracking Attacks in Mobile Networks: SS7, Diameter, and 5G Security Risks.” December 2025. [Snippet] https://www.p1sec.com/blog/location-tracking-attacks-how-adversaries-exploit-mobile-networks-to-follow-you
[7] The Register. “FCC finally set to do something about SS7 vulnerabilities.” April 2, 2024. [Snippet] https://www.theregister.com/2024/04/02/fcc_ss7_security/
[8] Electronic Frontier Foundation. “Cell-Site Simulators / IMSI Catchers.” [Snippet] https://sls.eff.org/technologies/cell-site-simulators-imsi-catchers
[9] Cato Institute. “Stingray: A New Frontier in Police Surveillance.” [Snippet] https://www.cato.org/policy-analysis/stingray-new-frontier-police-surveillance
[10] GoDark Bags. “How IMSI Catchers, Like Stingrays, Track Your Location.” [Snippet] https://godarkbags.com/blogs/post/imsi-catchers
[11] Wikipedia. “Stingray phone tracker.” [Snippet] https://en.wikipedia.org/wiki/Stingray_phone_tracker
[12] Project on Government Oversight. “Issue Brief: The Cell-Site Simulator Warrant Act.” [Snippet] https://www.pogo.org/fact-sheets/issue-brief-the-cell-site-simulator-warrant-act
[13] Electronic Frontier Foundation. “Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying.” March 2025. [Snippet] https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying
[14] Wikipedia. “Carpenter v. United States.” [Snippet] https://en.wikipedia.org/wiki/Carpenter_v._United_States
[15] UC Berkeley Law. “Cell Phone Location Tracking.” [Snippet] https://www.law.berkeley.edu/wp-content/uploads/2015/04/2016-06-07_Cell-Tracking-Primer_Final.pdf
[16] Forensic Resources. “Using cell tower data to track a suspect’s location.” 2014. [Snippet] https://forensicresources.org/2014/using-cell-tower-data-to-track-a-suspects-location/
[17] ACLU. “Carpenter v. United States.” [Snippet] https://www.aclu.org/cases/carpenter-v-united-states
[18] SCOTUSblog. “Opinion analysis: Court holds that police will generally need a warrant for sustained cellphone location information.” June 2018. [Snippet] https://www.scotusblog.com/2018/06/opinion-analysis-court-holds-that-police-will-generally-need-a-warrant-for-cellphone-location-information/
[19] Krebs on Security. “Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers.” May 2018. [Snippet] https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/
[20] CBS News/AP. “Mobile Phone Carriers Say They’ll Stop Selling Your Location Data To Data Brokers.” June 2018. [Snippet] https://www.cbsnews.com/sacramento/news/mobile-phone-tracking-data/
[21] CPO Magazine. “Can Mobile Carriers Be Trusted with Location Data?” May 2019. [Snippet] https://www.cpomagazine.com/data-privacy/can-mobile-carriers-be-trusted-with-location-data/
[22] Light Reading. “US Wireless Operators Have (Mostly) Stopped Selling Customer Location Data.” [Snippet] https://www.lightreading.com/regulatory-politics/us-wireless-operators-have-mostly-stopped-selling-customer-location-data
[23] FCC. “FCC Fines AT&T, Sprint, T-Mobile, and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data.” April 29, 2024. [Snippet] https://docs.fcc.gov/public/attachments/DOC-402213A1.pdf
[24] Vice/Motherboard. “US Marshal Charged for Using Cop Phone Location Tool to Track People He Knew.” July 2024. [Snippet] https://www.vice.com/en/article/us-marshal-securus-phone-location-tracked/
[25] Marketplace/Krebs. “Why privacy settings can’t keep your location secret.” May 2018. [Snippet] https://www.marketplace.org/story/2018/05/22/why-privacy-settings-cant-keep-your-location-secret
[26] Wikipedia. “Simjacker.” [Snippet] https://en.wikipedia.org/wiki/Simjacker
[27] CERT-EU. “Security Advisory 2019-020: Simjacker Vulnerability Impacting up to 1 Billion Phone Users.” [Snippet] https://cert.europa.eu/publications/security-advisories/2019-020/
[28] Kaspersky Blog. “Simjacker opens SIM cards to spying.” November 2019. [Snippet] https://www.kaspersky.com/blog/simjacker-sim-espionage/28832/
[29] SecurityWeek. “Simjacker: SIM Card Attack Used to Spy on Mobile Phone Users.” [Snippet] https://www.securityweek.com/simjacker-sim-card-attack-used-spy-mobile-phone-users/
[30] Wikipedia. “SIM swap attack.” [Snippet] https://en.wikipedia.org/wiki/SIM_swap_scam
[31] Montgomery County Police Dept. “SIM swapping.” [Snippet] https://www.montgomerycountymd.gov/pol/fraud/sim-swapping.html
[32] Specops Software. “SIM-swap fraud: Scam prevention guide.” November 2025. [Snippet] https://specopssoft.com/blog/sim-swap-fraud-prevention-guide-2025/