Published: Apr 23, 2026 08:33 AM CT (America/Chicago)
New reporting highlighted by TechCrunch and based on Citizen Lab research points to a persistent weak point in global telecom infrastructure: surveillance vendors with privileged signaling access can allegedly track people’s phone locations across borders. The core issue is not a single mobile app vulnerability or one compromised endpoint. It is structural access to legacy telecom pathways that were designed for interoperability, not modern threat models.
According to the report, two separate surveillance vendors were observed leveraging telecom-level capabilities that can reveal where a device is, even when users have no direct relationship with the attacker. That should concern security leaders well beyond telecom operators. Many enterprises now rely on mobile identity and geolocation data for fraud controls, customer verification, logistics, and field operations. If location trust is weakened at the signaling layer, downstream decisions can also become less trustworthy.
There is also a governance angle. Organizations working with government, healthcare, finance, or critical infrastructure partners are increasingly expected to demonstrate how they evaluate third-party and fourth-party risk. The telecom signaling ecosystem often sits outside standard SaaS vendor-review playbooks, yet this story shows why it cannot remain outside scope. Compliance and privacy programs may need to explicitly map telecom dependencies, especially when operations span multiple jurisdictions.
For CISOs and risk teams, the practical takeaway is to treat mobile location as a probabilistic signal, not a perfect source of truth. Layered verification, anomaly detection, and contractual controls with carriers and identity vendors matter more than ever. Incident-response playbooks should also include telecom abuse scenarios, particularly for high-risk employees, executives, journalists, and employees traveling internationally.
Why it matters
This is a reminder that modern cyber risk is increasingly supply-chain risk at infrastructure depth. Even mature security programs can be exposed when trust assumptions about global networks are outdated.
Header image: "Computer locked" via Wikimedia Commons (CC BY 2.0).