Your Phone Is a Beacon: Inside Iran's SS7 and Ad-Tech Campaign Against U.S. Forces — And Why Australia Isn't Immune
The follwing article is based on an article in the Financial Times, thrown at an AI and asked a lot of questions. It peeked my interest, what can I say.
In the weeks before the US-Israeli strikes on Iran in late February 2026, and through the early days of the war that followed, mobile networks across the Middle East were quietly fending off something unusual: a sustained wave of signalling requests trying to pin down the exact whereabouts of specific phones. According to reporting by the Financial Times, drawing on data from the Mobile Surveillance Monitor research project and multiple sources with direct knowledge of the campaign, that traffic was Iran, and the targets were US military personnel and contractors stationed across Iraq, Bahrain and the wider Gulf.
The stakes weren't abstract. Iran and Iran-backed militias went on to strike hotels in Iraq and Bahrain — home to the US Navy's Fifth Fleet — injuring American contractors and personnel in the process. Investigators are careful to say correlation isn't proof: human informants, hotel reviews and social media are also plausible ways to find a target, and one US official has publicly disputed that digital tracking drove the strikes at all. But two named cybersecurity researchers, including Citizen Lab's Gary Miller, told the FT that the technical fingerprint in the data pointed to specific, deliberate device-level targeting, not indiscriminate sweeping — and that Iran's capability to do this is not in question.
What makes the story worth sitting with isn't really "Iran did something clever." It's that neither of the two techniques involved is exotic, secret, or new. They're both known weaknesses that have existed in commercial telecom and advertising infrastructure for over a decade, sitting in plain view, mostly because fixing them properly would mean rebuilding systems the entire world depends on.
Weapon one: a 1970s trust system nobody replaced
The first technique is SS7 — Signalling System No. 7 — the protocol suite that's quietly run global mobile networks since the 1970s. It's the reason your phone still works when you land in another country: SS7 (and its 4G-era cousin, Diameter) is what lets your home carrier and a foreign carrier hand your phone off to each other, agree on billing, and route your calls and texts correctly.
It was designed for a small, closed club of state-owned telephone monopolies who implicitly trusted each other completely. There was no reason to build in authentication, because "who else would be on this network?" was a solved problem — solved by there being almost nobody else. That assumption has aged badly. Today, SS7 access can be leased commercially through "Global Title" arrangements, sometimes with minimal vetting, and any carrier with a roaming agreement — which, by definition, includes any carrier operating in a region with roaming agreements — has the standing ability to send the same category of query a legitimate roaming handoff requires.
The specific messages involved have unglamorous acronym names — SendRoutingInfo, ProvideSubscriberInfo, AnyTimeInterrogation — and they exist for perfectly legitimate reasons: routing a call, checking whether a subscriber is reachable, supporting emergency location services. The problem is that a network receiving one of these queries has no reliable way to tell "a legitimate roaming partner checking in" from "a hostile intelligence service checking in." The reply, either way, discloses which cell tower or switch a specific phone is currently sitting under — in a city with many towers, that can localise someone to a neighbourhood or a specific building.
Iranian carriers hold real, legitimate roaming agreements across the Gulf and Middle East. That's the entire mechanism: no breach, no malware, no zero-day. Just a party with a real key to a real, if badly designed, door.
Weapon two: the advertising industry did this to itself
The second technique gets described in headlines as Iran "hacking" ad networks, which is a misleading way to put it. Nobody broke into anything. Real-time bidding (RTB) — the system that decides which ad you see, in the roughly 100 milliseconds after an app requests one — was built to broadcast your data to a room full of strangers. That's not a side effect; it's the business model.
Here's the mechanic: your phone's ad SDK sends a "bid request" to an ad exchange containing your mobile advertising ID, GPS coordinates, IP address, device type, and inferred interests. The exchange fans that packet out to hundreds or thousands of potential advertisers simultaneously so they can bid on the impression. Only one bidder wins the auction and shows you an ad — but everyone who received the bid request keeps the data regardless. Researchers gave this exploitation pattern a name years ago: ADINT, advertising-based intelligence, deliberately modelled on the naming convention for SIGINT and HUMINT. A researcher only needs to register as a legitimate ad buyer — a real, mundane, commercially available role — to sit in that room and collect.
Commercial vendors have already turned this into off-the-shelf tradecraft: Babel Street's Locate X, and Penlink's Webloc (built on the acquired Israeli firm Cobwebs Technologies), package RTB exhaust into searchable location-history tools already sold to agencies like US Immigration and Customs Enforcement, without a warrant, because the data comes from an ad auction rather than a phone company. In the Iran case, a US official told the FT that Iran-linked actors are believed to have used this style of commercially available advertising data to identify which hotels in Iraqi Kurdistan housed US government staff and contractors — profiling by app usage and location clustering rather than any technical break-in.
The uncomfortable question: could this happen to Australia?
Short answer: there's no structural reason it couldn't, and there's direct evidence Australian networks have already carried this exact kind of traffic.
SS7 is a single global system, not a regional one. Telstra, Optus and TPG/Vodafone all sit on the same interconnected SS7/Diameter fabric as every other carrier on earth, because that's the entire point of the protocol — it's what makes international roaming work at all. A hostile state doesn't need physical access to Australia to query an Australian subscriber's location; it needs SS7 interconnect access somewhere in the world, which — as the leased Global Title market demonstrates — is a commercial arrangement, not a military one.
This isn't hypothetical for Australia specifically, either. Citizen Lab has previously reported finding a suspected deployment of Circles — an NSO Group-linked commercial SS7 surveillance system — hosted on infrastructure geolocated to Canberra and traced to Optus and TPG networks, leading researchers to flag Australia as a likely customer or host of this surveillance capability. That finding is about a commercial system with an Australian footprint, not proof of a specific foreign-government campaign against Australian subscribers — but it establishes that Australian carrier infrastructure has been implicated in exactly the SS7 weaknesses at issue in the Iran reporting, not in some separate, hardened category.
4G/5G doesn't fully solve it either. Diameter, the signalling protocol underpinning 4G, was designed with authentication and access-control features that SS7 lacks — but those features are optional, not mandatory, and Diameter networks still interconnect with legacy SS7 networks at their edges, reintroducing the same weaknesses. Sunsetting 2G/3G radio access removes old handsets from the air; it doesn't remove SS7 from the signalling core, because SS7 (or its equivalent) is still what makes cross-border interoperability with the rest of the still-SS7-reliant world possible.
The ad-tech vector is, if anything, less avoidable. RTB isn't a regional or even a national system — it's the global architecture behind most mobile advertising, full stop. An Australian's phone running ordinary apps broadcasts the same bid-request data into the same global exchanges as anyone else's. Nothing about being in Australia removes a device from that stream. Anyone — a foreign intelligence service included — who buys or leases a seat as an ad-buyer on the right exchange can, in principle, pull location and device-identifier data on people physically present in Australia, including foreign military personnel transiting through, visiting diplomats, or just ordinary citizens, with no need to compromise an Australian company at all.
What's less clear is exactly how well-defended Australian networks are at the signalling-firewall level specifically. Australia does have a real regulatory apparatus around this — the Telecommunications Sector Security Reforms, the Security of Critical Infrastructure Act, and the Cyber Security Act 2024 all impose obligations on carriers to protect their networks and report serious incidents to the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), with ACMA also empowered to enforce compliance. What's not publicly documented, at least not that this research turned up, is a mandated Australia-specific standard for SS7/Diameter signalling firewalls of the kind GSMA recommends industry-wide — leaving the honest answer as "there's a regulatory structure, but whether it closes this specific gap isn't something I can confirm from open sources." That's a genuinely worthwhile question to put to ACMA or the ACSC directly, or to chase via FOI.
The takeaway
None of this required Iran to invent anything. It required patience, a legitimate-looking interconnect relationship, and a willingness to abuse systems that were never built to resist a determined nation-state — because they were built in eras when almost nobody imagined one would try. Both weaknesses are structural, both are global, and neither respects a border. If it worked against US personnel in the Gulf, there is no protocol-level reason it couldn't be pointed at people in Australia; the only open question is how good Australian carriers' filtering is in practice, and that's not something outsiders can verify from a laptop.
Sources
- Franceschi-Bicchierai, L. "Iran abused mobile networks' vulnerabilities to locate US military in the Middle East, report says", TechCrunch, 14 July 2026 (citing the Financial Times, paywalled)
- "Financial Times: US military smartphones targeted through roaming and ad tech", reproduced via Rep. Pat Harrigan's office
- "Iran used roaming systems, ad tech to track US troops in Gulf: Report", Türkiye Today
- EFF, "The Government Uses Targeted Advertising to Track Your Location", March 2026
- Vasilakis et al., "Using Ad Targeting for Surveillance on a Budget" (the original ADINT research, University of Washington)
- iTnews, "Australia a 'likely' customer of global mobile phone surveillance company" (Citizen Lab's Circles/SS7 findings re: Optus/TPG infrastructure)
- GSMA, "SS7: Securing a Legacy Protocol in a Modern Threat Landscape"
- Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts, Telecommunications security reforms
You can see why it peaked my interest. Hopefully its peaked a few peoples interest in the Australian Signals Directorate.
No wonder Iran shut its mobile networks down during the war. It wasnt about propaganda or insurgent control although that was probably a factor. It was about stopping the USA and its allies from finding all their key personnel. But you worked that out already havent you - which also explains what is going on in Moscow.
Interesting times
#enoughsaid