You guys have GOT to see this because it's insane how one of our most important mobile protocols has been essentially an open door for years. A new report shows Iran exploited IMSI catchers β which are basically fake cell towers that force your phone to connect and expose its location through SS7 and Diameter flaws - to track U.S. military personnel across the Middle East. They deployed these devices around bases in Bahrain, Qatar, Syria, and Iraq, and even targeted diplomatic vehicles at consulates in Baghdad and Damascus. This isn't some theoretical attack; it was actively used against high-ranking officials, which is terrifying when you think about what that kind of intelligence can be used for.
The mechanism behind this is infuriating because it relies on the inherent openness of global telecom routing rather than a specific device flaw. When your phone connects to a partner network through an international gateway, SS7/Diameter messages are sent with no authentication between operators, so anyone who knows how to route them can geolocate you anywhere in the world. TRAC-IE published an incredible open-source report with maps showing exactly where these devices were placed around military bases and highlighting that even unpatched systems on government networks were exposed. They also detail why mobile privacy isn't just about your personal messages β it's a critical national security vulnerability every time we let us connect to a foreign network without an authenticated tunnel. We need to stop assuming our phones are secure just because they have encryption and build in the layers correctly this time.
Source: https://techcrunch.com/2026/07/14/iran-abused-mobile-networks-vulnerabilities-to-locate-u-s-military-in-the-middle-east-report-says/
Also see: https://tracie.io/newsletters/the-ss7-and-diameter-protocol-flaw-is-a-security-nightmare
The mechanism behind this is infuriating because it relies on the inherent openness of global telecom routing rather than a specific device flaw. When your phone connects to a partner network through an international gateway, SS7/Diameter messages are sent with no authentication between operators, so anyone who knows how to route them can geolocate you anywhere in the world. TRAC-IE published an incredible open-source report with maps showing exactly where these devices were placed around military bases and highlighting that even unpatched systems on government networks were exposed. They also detail why mobile privacy isn't just about your personal messages β it's a critical national security vulnerability every time we let us connect to a foreign network without an authenticated tunnel. We need to stop assuming our phones are secure just because they have encryption and build in the layers correctly this time.
Source: https://techcrunch.com/2026/07/14/iran-abused-mobile-networks-vulnerabilities-to-locate-u-s-military-in-the-middle-east-report-says/
Also see: https://tracie.io/newsletters/the-ss7-and-diameter-protocol-flaw-is-a-security-nightmare