An ancient communications protocol now sits at the center of a gripping, worldwide scandal — one involving shell companies, totalitarian regimes, murder cases, and, of course, enormous sums of money.
-
The protocol in question is SS7.
Developed decades ago as the nervous system of 2G and 3G cellular networks, it enables the communications systems of different carriers to talk to one another and to route text messages and phone calls.
The protocol was born in a more naive and innocent era, built on the baseline assumption that any entity with access to the network is a legitimate one — and therefore neither identity verification nor encryption was considered necessary.
-
An Austrian entrepreneur and former Siemens engineer developed software capable of connecting to the system while impersonating a legitimate telecommunications entity, thereby pinpointing the physical location of any handset connected to the network.
The location tracking is made possible by a simple fact: the phone system must identify which antenna a user is connected to in order to route calls and messages to them.
In this way, querying any phone number reveals the location of the antenna to which the device is connected — without ever breaching the user's handset or raising any suspicion.
-
The software was developed under the name of a shell company in Indonesia.
It was marketed through a business intelligence firm in the United Kingdom, with both companies presenting the outward appearance of a legitimate, lawful operation.
The scandal broke when internal company documents reached journalists who launched a deep investigative inquiry — and what they uncovered shocked them.
The system had been sold to corrupt states such as Belarus and Nigeria, and was used to surveil, among others, key figures in the global arms industry and political dissidents.
Several Rwandan dissidents living in exile were murdered after their locations were traced using the system.
-
The Indonesian company's website (FirstWAP) is no longer active, and the business is listed on Google as permanently closed.
The website of the British arm (KCS Group) remains live, and the entire affair is still at the stage of suspicion — with no government intervention or criminal charges filed to date.
While the wheels of justice turn slowly, the system continues to operate unimpeded, and one can only imagine the damage it is causing.
Although security patches exist that are designed to close the vulnerability, this story underscores the critical importance of migrating to the more secure 4G and 5G networks — and the sooner, the better.
-
👋 Hi, I'm Shlomo Strauss — follow me for more content on science and technology.