How China abuses mobile networks.
When the FBI warned iPhone and Android users to stop sending texts, it exposed a huge security vulnerability in the way Americans communicate. It also exposed an awkward anomaly in that Apple’s and Google’s messaging platform cannot send secure messages between them. Now a new report has suddenly warned that the threat is actually much worse, that China can spy on iPhones and Android phones “almost anywhere.”
The FBI’s warning last December was prompted by China’s Salt Typhoon hackers breaching U.S. telco networks, stealing user metadata and some unencrypted content — including text messages. That led to the bureau and America’s cyber defense agency advising Americans to use end-to-end encryption at all times.
But China doesn’t need hackers to intercept user data and content on telco networks — because China already controls or has access to many of those networks. That’s the warning from mobile endpoint security firm iVerify in a new report today. China’s telco giants, it says, “introduce significant risks due to their transport of unencrypted signaling protocols,” pointing to “a major issue in the fact that these providers operate under the direction of the Chinese government, raising the risk of global surveillance, data interception, and exploitation for state-sponsored cyber espionage.”
Echoes here of an investigation published in The Guardian in 2020, that “China appears to have used mobile phone networks in the Caribbean to surveil U.S. mobile phone subscribers as part of its espionage campaign against Americans.” Just as with iVerify’s new report, that investigation claimed China is “using a state-controlled mobile phone operator [to]
direct signaling messages to U.S. subscribers, usually while they are traveling abroad.” These signals can request and return phone IDs and locations, and if sophisticated enough can also trigger content monitoring and interception.iVerify now says this is not a China issue or even a China plus a few places issue, it’s an everywhere issue. “The interconnectedness of the global mobile network ecosystem means that data travels between and across networks, and the larger of those networks have subsidiaries, stakes and partnerships across multiple countries around the world.” Clearly this only matters if the data itself is unsecured network signals or user content that has not been fully encrypted, as with SMS text messages.
While “essential for international roaming,” iVerify says not enough has been done to secure the “intricate web of interconnections linking mobile operators worldwide.” Given the strength of China’s operators (China Mobile International, China Telecom Global, China Unicom Global, CITIC Telecom International and PCCW Global Hong Kong) and its OEMs (Huawei and ZTE), all of which are subject to state influence if not outright control, that becomes a major security threat to users across networks.
To put all this more simply, iVerify’s Rocky Cole told me that “everyone knows not to bring their phones to China, but China is everywhere. Chinese owned and operated mobile interconnects, combined with legacy technology protocols that were never designed with today’s mobile phone capabilities in mind, expose employees to surveillance in huge swaths of the world.”
While iVerify’s focus is enterprise risk management, the same vulnerabilities extend to all phone users, especially those in sensitive locations or vocations. And while the risk covers all unencrypted data, SMS remains a standout given all other messaging platforms now have enhanced security.
China’s reach is a problem. State control and national security laws per U.S. crackdowns on Huawei and TikTok are more serious. “Providers operate under the direction of the Chinese government,” iVerify says, “raising the risk of global surveillance, data interception, and exploitation for state-sponsored cyber espionage. Their role in the mobile interconnect system grants them access to critical functions, including device authentication, call setup, SMS delivery, location updates, and data session management—making them prime channels for exploiting network vulnerabilities.”
User data exposed to Chinese surveillance when outside U.S.
iVerify adds that “technical risks originate from the outdated nature of telecom signaling protocols, initially designed decades ago without encryption lacking an industry focus on security. These protocols handle essential mobile network functions, but their lack of security leaves them vulnerable to multi-vector attacks, enabling malicious actors to intercept, manipulate, or inject spoofed traffic into mobile networks.”
But in reality, this problem is not easily or quickly resolved, especially given some of the older networks in place around the world. The reality is that this will fall to devices and operating systems to fix, certainly for smartphones, which are the primary security risk given the data they store and transmit.
ESET’s Jake Moore warns “there are constantly growing concerns about vulnerabilities in the global mobile network ecosystem — particularly due to the influence of some of the major Chinese mobile network operators. Increasingly sophisticated attackers relentlessly looking for vulnerabilities could potentially exploit weaknesses at the network level to access unencrypted content such as SMS messages and location data.”
On that note, Google’s recent focus on network defenses, including restricting traffic on poorly encrypted connections, and its alignment with Apple on encrypting RCS are all major positives. But there’s a step further required, to pivot phones such that they see a legitimate network as not necessarily friendly, especially when roaming, enabling a user to shut down certain functions and capabilities when in that state.
“Threat actors routinely abuse mobile network vulnerabilities,” iVerify says, “to track the real-time location of devices, push over-the-air (OTA) updates to covertly install spyware, or take over WhatsApp accounts. They can also carry out highly targeted SMS phishing (smishing) attacks. For cybersecurity professionals, defending against these threats presents significant OPSEC challenges, as mobile operators must open a range of signaling interfaces and protocols to foreign networks, including those who provide access to 3rd parties, bypassing traditional security measures.”
iVerify shares the countries and networks concerned in the report. For Americans, this is an issue when you travel overseas rather than at home — it’s different to Salt Typhoon. “As international travel rises, so does the risk of exposure to the secret tradecraft of mobile surveillance tactics enabled by foreign interconnect providers,” iVerify warns. “Since its inception, the concept of user privacy for international mobility has been more of an afterthought [with] traffic encryption measures ‘not seen as necessary in an inter-operator network, as the network itself is secure and transparent’. However, this assumption has proven to be dangerously flawed.”
iVerify’s Cole told me that with “access to the signaling network, it’s far easier to do things like send convincing smishing messages that bypass network-level protections by disguising itself as legitimate traffic, enabling highly targeted messages, etc. or even perpetrate zero-click attacks on phones by pushing malicious OTA updates, using a carrier’s elevated permissions, that could include spyware payloads, or spoofed traffic that could exploit the way phones process certain network traffic.”
To be as safe as you can, stick to encrypted messaging and other comms, use a notable, blue chip VPN if connecting to hotel or airport WiFi, and be mindful of the apps you install and use — especially if encouraged to download a local app when traveling. “The risk remains when traffic passes through less secure international partners which includes China,” Moore says. “Encrypted communication channels are, therefore, always preferred across mobile networks for improved privacy and security.”