Researchers at the University of Toronto's Citizen Lab have mapped the customers of Circles, a surveillance company that exploits weaknesses in the global mobile phone interconnection systems, to spy on people without hacking their devices.
By network fingerprinting firewalls made by security vendor Check Point and used by Circles, Citizen Lab researchers were able to identify 252 internet protocol addresses in 50 autonomous systems (ASNs) around the world.
A total of 25 governments were identified in the 50 ASNs, among these Australia, Citizen Lab said.
Citizen Lab was not able to identify the operator of the single system it found in Australia, but noted it is hosted on Optus and TPG networks that the Maxmind geolocating service places in Canberra.
Circles is affiliated with controversial spyware vendor NSO Group that develops the Pegasus malware, thought to be used in the grisly murder of United States journalist Jamal Khashoggi by a Saudi-Arabian government hit squad.
Many of the governments identified by Citizen Lab as potential Circles customers have a long history of harsh suppression of dissidents and journalists, human rights abuses and covert surveillance.
Chile's national police agency, the Carabineros, for example illegally intercepted phone and WhatsApp calls and Telegram messages of journalists.
Some Carabinero officials were prosecuted for planting false evidence on the leaders of the indigenuous Mapuche movement.
Mexico, Morocco, and Thailand were also singled out for torture, murders, disappearances and other abuses by government agencies and security forces.
Unlike NSO Group that tries to plant its spyware on targets' phones, Circles is said to exploit weaknesses and the lack of authentication in the ageing Signalling System 7 (SS7) which handles call setup and routing between telcos worldwide.
SS7 is used for the older 2G and 3G GSM mobile networks, and allows attackers to interconnect with the network for surveillance, location tracking and interception of short messaging system (SMS) codes for two-factor authentication.
Voice calls can also be intercepted via SS7 attacks, which Citizen Lab said are tricky to block as it is challenging and expensive for telcos to distinguish between malicious and genuine subscriber traffic.
The researchers noted that while newer 4G mobile networks use the Diameter protocol with authentication and access control, the restriction features are optional.
Diameter networks also interconnect with SS7 networks which introduces security issues, and Citizen Labs pointed to research that said 5G technology could inherit the same risks of the older systems due to interoperability requirements.
Citizen Lab suggested that telcos analyse traffic from countries with Circles deployments for patterns of abuse, and try to address vulnerabilities in SS7 and Diameter.
High risk users should migrate away from SMS-based two-factor authentication, and enable security codes and passwords for the third-party apps such as Signal and WhatsApp, Citizen Lab said.