How to Detect Telecom Surveillance Tools in Network Traffic: Developer Security Guide 2025

Understanding Telecom Surveillance Detection for Developers

The Citizen Lab's "Bad Connection" research reveals sophisticated attacks exploiting telecom interconnect ecosystems and mobile operator signaling infrastructure. For developers building security-conscious applications, understanding how these surveillance tools operate—and detecting them in network traffic—is critical.

Unlike traditional malware analysis, telecom surveillance operates at the signaling protocol level, making it invisible to standard application-layer monitoring. This guide walks you through practical detection methods.

How Commercial Surveillance Vendors Exploit Telecom Infrastructure

Commercial surveillance vendors (CSVs) target three key areas:

1. Telecom Interconnect Ecosystem: Attackers position themselves between carriers to intercept signaling traffic
2. Private Operator Networks: Compromised access to SS7 (Signaling System 7) and Diameter protocols
3. Covert Location Tracking: Real-world attack traffic linked to mobile operator infrastructure

The research identified persistent location tracking campaigns that remained undetected for years because they operated at the carrier level, not the device level.

Key Detection Points in Network Analysis

Signaling Protocol Anomalies

If you're analyzing network logs from telecom infrastructure or working with carriers on security audits, watch for:

• Unusual SS7 traffic patterns: Legitimate SS7 traffic follows predictable routing. Look for queries that don't match typical mobile user behavior
• Diameter protocol deviations: Monitor for authentication requests that bypass normal carrier validation chains
• Inter-carrier signaling imbalance: Traffic volume mismatches between incoming and outgoing signaling queries

Building Detection Rules

Here's a sample detection framework in pseudocode for analyzing carrier signaling logs:

import json
from collections import defaultdict
from datetime import datetime, timedelta

class TelecomSurveillanceDetector:
    def __init__(self, baseline_hours=168):
        self.location_queries = defaultdict(list)
        self.baseline_period = timedelta(hours=baseline_hours)
        self.anomaly_threshold = 0.85  # 85% deviation from baseline
    
    def analyze_signaling_traffic(self, msisdn, location_queries):
        """Detect unusual location query patterns"""
        if len(location_queries) < 10:
            return None
        
        # Extract temporal patterns
        query_times = [q['timestamp'] for q in location_queries]
        time_deltas = [
            (query_times[i+1] - query_times[i]).total_seconds()
            for i in range(len(query_times)-1)
        ]
        
        # Persistent tracking shows abnormally regular intervals
        avg_interval = sum(time_deltas) / len(time_deltas)
        variance = sum((x - avg_interval)**2 for x in time_deltas) / len(time_deltas)
        
        # Low variance + high frequency = potential surveillance
        if variance < (avg_interval * 0.1) and avg_interval < 300:
            return {
                'risk_level': 'HIGH',
                'msisdn': msisdn,
                'query_count': len(location_queries),
                'regularity_score': 1 - (variance / avg_interval),
                'timestamp': datetime.now()
            }
        return None
    
    def cross_operator_analysis(self, signaling_logs):
        """Detect inter-carrier surveillance patterns"""
        suspicious_roaming = defaultdict(int)
        
        for log in signaling_logs:
            home_network = log['home_network_id']
            current_network = log['current_network_id']
            
            # Flag rapid operator switches for same MSISDN
            if home_network != current_network:
                suspicious_roaming[log['msisdn']] += 1
        
        # Targets typically show high roaming activity
        return {
            k: v for k, v in suspicious_roaming.items() 
            if v > 15  # More than 15 network changes in baseline period
        }

Practical Detection Workflow

Step 1: Establish Baseline Behavior

Collect 1-2 weeks of normal signaling traffic for subscriber cohorts:

• Average location queries per subscriber per hour
• Typical geographic movement patterns
• Standard roaming behavior by region

Step 2: Set Anomaly Thresholds

| Metric | Normal Range | Anomaly Threshold | |--------|--------------|-------------------| | Location queries/hour | 0.5-2 | >10 | | Query regularity (std dev) | >50ms variance | <5ms variance | | Inter-carrier switches/week | 0-2 | >5 | | Query origination diversity | 10+ sources | 1-2 sources | | Geographic movement speed | 0-500 km/h | >800 km/h |

Step 3: Monitor in Real-Time

Implement continuous monitoring that alerts when subscribers exceed baseline anomalies by 85% for sustained periods (>24 hours). The research shows persistent tracking campaigns maintain unusual patterns indefinitely.

Implementation Considerations

For Telecom Engineers: If you're working with carrier infrastructure, focus on:

• Implementing Interconnect Security Board (ISB) standards
• Validating originating carrier identity in signaling
• Monitoring for unauthorized Location Information Service (LIS) queries

For Application Developers: If you're building mobile security apps:

• Request location query logs from carriers (where possible)
• Implement local-only location caching to reduce signaling exposure
• Use signal strength analysis instead of periodic location pings

Technical Challenges in Detection

1. Encrypted Signaling: Modern operators may encrypt Diameter traffic, requiring cooperation for deep inspection
2. Legitimate Traffic Overlap: Lawful intercept requests create baseline "noise" that mimics surveillance patterns
3. Carrier Cooperation: Operators must actively monitor their own infrastructure—developers have limited visibility

Limitations and When to Escalate

Developers cannot directly detect telecom-layer surveillance without carrier support. If you suspect surveillance affecting your application's users:

• Document unusual location behavior in your app's telemetry
• Report patterns to relevant carriers and privacy authorities
• Recommend users contact telecom regulators in their jurisdiction
• Consider location-minimization strategies in your application design

Next Steps

The Citizen Lab research demonstrates that these attacks persist for years undetected. While detection requires infrastructure access, developers can:

1. Advocate for carrier transparency around signaling access
2. Implement privacy-preserving architectures that minimize location collection
3. Build user-level monitoring for anomalous location behavior
4. Participate in responsible disclosure processes when anomalies are identified

Security isn't just about detecting attacks—it's about building systems that reduce surveillance surface area from the ground up.