Citizen Lab's 'Bad Connection': The Phone in Your Pocket Is Wiretapped by Default

The moment you turn on your phone, you’re already exposed. Your location, who you call, the contents of your texts — all of it travels across a signaling protocol designed in 1975, before the internet existed in any meaningful form. Citizen Lab, the University of Toronto’s digital-rights research group, just dropped a report called “Bad Connection” that drags this uncomfortable truth back into daylight. And it’s worse than the usual “your phone could be hacked” story.

SS7: A Time Bomb That Never Stopped Ticking

The villain has a boring name — Signaling System No. 7, or SS7. Think of it as the back-channel language carriers use to hand off your calls and texts when you cross networks or borders. Built in 1975, it predates basic concepts like authentication and encryption. There’s no “is this carrier really who it says it is?” check. The system was designed for a closed club of state-run monopolies that trusted each other.

That club is gone. SS7 is not. Even as carriers brag about 5G rollouts, international roaming and inter-carrier signaling still ride on SS7 and its successor Diameter. Get a foothold inside an SS7 network — any SS7 network, anywhere — and in theory you can track the location of any phone on Earth, intercept calls, and skim SMS verification codes. The protocol can’t tell a legitimate Vodafone query from a malicious one originating at a sketchy carrier in a tax haven.

The Surveillance-as-a-Service Industry

What makes the Citizen Lab report different from a decade of academic SS7 hand-wringing is that it names the business model. This isn’t theoretical. There’s a market.

The report focuses on what it calls “covert surveillance actors” — companies that buy or lease SS7 access from small carriers and resell it as a service to governments and private intelligence shops. Firms based in Israel, Cyprus, the UAE, and elsewhere have built quiet little empires here. Unlike NSO Group’s Pegasus, which compromises the phone itself, these operators never touch the device. They sit at the network layer and pull data out of the pipes. Cleaner, cheaper, and far harder to detect.

Why This Is Scarier Than Malware

Conventional phone hacking leaves fingerprints. Battery drains. Suspicious apps appear. Data usage spikes. A determined defender can find it.

SS7 attacks leave nothing on the device. The victim has essentially no way to know it’s happening. No security app catches it, because there’s nothing on the phone to catch. A $1,200 iPhone and a $99 Android are equally exposed — when the network itself is the breach, the hardware in your hand doesn’t matter.

The most painful angle is SMS-based two-factor authentication. Banks, exchanges, corporate VPNs, and a depressing share of consumer apps still text you a six-digit code. An SS7 attacker can reroute that text. Knowing the password becomes optional — one intercepted SMS and the account is theirs. The security industry has been begging companies to ditch SMS 2FA for years. Most haven’t.

Targeted, Not Mass

Citizen Lab is careful about one point: this isn’t bulk collection. It’s precision targeting — journalists, human-rights workers, opposition politicians, exiled dissidents, lawyers representing inconvenient clients.

For an authoritarian government, SS7 is irresistible. No warrant, no court order, no awkward conversation with your domestic carrier. Route the request through some third-rate operator in a friendly jurisdiction, and you can watch a dissident in Berlin or Toronto move around in real time. It’s the kind of capability that, twenty years ago, only a handful of signals-intelligence agencies possessed. Now it’s a line item on an invoice.

What You Can Actually Do

Individual defenses are limited but real.

First, kill SMS 2FA wherever you can. Move to authenticator apps (Google Authenticator, Authy, 1Password) or, better, a hardware key like a YubiKey. The FIDO2 standard isn’t theater — it actually solves this class of attack. Second, push sensitive conversations onto end-to-end encrypted apps like Signal. SS7 attackers can see that you sent a Signal message, but the contents stay opaque.

Third, and this is the part that matters at scale: carriers already have the technology to filter malicious SS7 traffic and mostly choose not to deploy it because it costs money and nobody is forcing them. The GSMA has published filtering guidelines for years. US, UK, and EU regulators have been slow-walking enforcement. That’s a policy failure, not a technical one.

The Quiet Assumption

Most of us trust our phones because of an unspoken assumption: nobody important enough cares about me specifically. Citizen Lab’s report is a reminder that this assumption is aging badly. Surveillance used to require a building full of analysts and a budget approved by a parliament. Now it requires a license from a small carrier and a wire transfer.

Is your SMS 2FA still on? And when was the last time your carrier said anything — anything at all — about what they’re doing to filter SS7 traffic?