Iran Used Mobile Networks, Ad Tech to Track US Troops in Mideast
Iran-linked actors allegedly tracked US military personnel in the Middle East by exploiting vulnerabilities in mobile roaming networks (SS7) and commercial ad tech. This cyber operation, revealed by the Mobile Surveillance Monitor project, occurred during a recent US-Iran conflict, raising significant concerns about military security and digital surveillance in modern warfare.
Key Highlights
- Iran-linked actors tracked US troops via mobile networks.
- Exploited SS7 protocol vulnerabilities and ad tech data.
- Surveillance occurred during US-Iran conflict in Middle East.
- Mobile Surveillance Monitor project revealed the data.
- US officials acknowledged threats, lawmakers raised security concerns.
- Operation highlights new cyber warfare dimension.
A significant cyber-enabled surveillance campaign, reportedly linked to Iran, targeted US military personnel and contractors across the Middle East by exploiting vulnerabilities in global telecommunications networks and commercial advertising technology. This high-stakes operation, first brought to light by reports citing data from the Mobile Surveillance Monitor research initiative, occurred in the weeks leading up to and during a recent US-Israeli military operation against Iran in late February and continued as Tehran launched retaliatory missile and drone attacks on American military installations across the region.
The alleged surveillance primarily leveraged two methods. Firstly, Iranian-linked actors exploited weaknesses in the Signalling System No. 7 (SS7) protocol. SS7 is a decades-old telecommunications protocol, introduced in the 1970s, that facilitates the exchange of information between mobile operators, particularly when subscribers roam outside their home networks. Cybersecurity experts and data from the Mobile Surveillance Monitor project revealed a surge in suspicious 'SS7 pings' across Middle Eastern cellular networks. These specific network requests exploit known vulnerabilities in the legacy cellular infrastructure, allowing entities with legitimate network access—such as Iranian telecom operators with roaming agreements across the Gulf—to determine the approximate geographical coordinates of roaming devices. According to Gary Miller, a senior research fellow at the cybersecurity watchdog Citizen Lab, who reviewed parts of the telecom data, the volume and pattern of these requests indicated a coordinated campaign aimed at identifying specific devices rather than random activity. Miller stated that "Iran absolutely has capabilities to get real-time, immediate, and continuous location information" and expressed little surprise if Iran were using SS7 or regional mobile network access to track US users.
Secondly, the surveillance extended beyond structural network flaws to include the exploitation of commercial advertising databases. American officials indicated that Iranian operatives exploited these databases to track smartphones, particularly in Iraqi Kurdistan. Advertising technology assigns unique identification numbers to mobile devices and routinely collects location information for targeted advertisements. This data can be purchased or accessed to monitor specific handsets or hardware clusters without directly compromising the devices themselves. This method allowed for the tracking of personnel even when they might have been staying in commercial hotels, a tactic reportedly used by US Central Command to mitigate operational risks, but which inadvertently created a new vulnerability.
The surveillance campaign unfolded in the weeks prior to and during the US-Israeli offensive against Iran in late February 2026, continuing into the early days of the conflict when Iran launched drone and missile bombardments on American military installations. While investigators have not established a direct connection between the digital surveillance and any specific missile or drone strike, several attacks during the conflict targeted hotels and civilian lodgings in Iraq, Bahrain (home to the US Navy's Fifth Fleet), and other Gulf locations where American military personnel and contractors were known to be present. This raises concerns that digital tracking may have aided Iranian targeting efforts, despite a US official anonymously telling the Financial Times that data tracking was not a significant factor in the strikes.
US Central Command (CENTCOM) informed Congress in April 2026 of multiple intelligence reports detailing adversaries' exploitation of commercial location data to target or surveil US personnel in the theater. CENTCOM affirmed it implemented enhanced force-protection measures to safeguard personnel, but US lawmakers, including Senator Ron Wyden and Republican Congressman Pat Harrigan, have repeatedly warned about the national security threat posed by foreign adversaries tracking the phones of US personnel. Senator Wyden noted this incident represents the first known instance of hostile forces using commercial location data against American troops in a combat zone. A 2024 Defense Department inspector general review had already concluded that the US military failed to fully secure its government-issued mobile devices, and experts like Michael Stokes, a former CIA official, highlighted that personnel frequently carry personal smartphones into operational environments, generating a highly trackable digital footprint. This underscores a critical vulnerability in modern military operations where the digital exhaust from personal devices can be weaponized.
Cybersecurity experts view this operation as demonstrating a significant evolution in Tehran's cyberwarfare capabilities, reflecting an increasing ability to combine cyber tools with conventional military strategy, thereby creating new risks for US personnel deployed within range of Iranian missiles. The reported use of telecommunications infrastructure to identify potential targets underscores the growing importance of cyberwarfare in the broader confrontation between Washington and Tehran. The implications are global, as it highlights a pervasive vulnerability in the global mobile network infrastructure (SS7) and the widespread commercial data ecosystem that affects anyone with a smartphone, especially those in sensitive positions.
The revelations have intensified calls for stricter personal device controls at forward operating bases and accelerated efforts to retire aging 2G and 3G infrastructure, which are more susceptible to SS7 exploits. For an Indian audience, this news is highly relevant as it highlights the pervasive nature of digital surveillance and the vulnerabilities present in commercial mobile technologies, which could potentially be exploited by hostile state actors against Indian personnel or citizens abroad. It also emphasizes the evolving landscape of modern warfare, where cyber capabilities play a crucial, asymmetric role.
Frequently Asked Questions
How did Iran allegedly track US military personnel?
Iran-linked actors allegedly tracked US military personnel by exploiting vulnerabilities in the Signalling System No. 7 (SS7) protocol used in global mobile networks and by leveraging commercially available smartphone advertising data. This allowed them to ascertain the approximate locations of mobile devices.
What are SS7 vulnerabilities and how were they exploited?
SS7 (Signalling System No. 7) is an older telecommunications protocol with known security weaknesses. By sending 'SS7 pings' through regional mobile networks, actors could exploit these flaws to request and receive location information for roaming phones without the user's knowledge, providing approximate geographical coordinates.
What role did commercial ad tech play in the surveillance?
Commercial advertising technology collects vast amounts of location data from smartphones for targeted advertising. Iranian operatives allegedly exploited or accessed these commercially available databases, using unique advertising identifiers to monitor the movements of specific smartphones carried by US military personnel.
Has the US military addressed these vulnerabilities?
US Central Command acknowledged receiving threat reports and implemented enhanced force-protection measures. However, US lawmakers and a 2024 Pentagon review indicated that the military has not fully addressed security vulnerabilities related to government-issued and personal smartphones used by service members.
What are the broader implications of this type of cyber operation?
This operation highlights the evolving nature of modern warfare, where cyber capabilities are integrated with conventional military strategy. It underscores significant national security risks posed by the pervasive vulnerabilities in global mobile networks and commercial data ecosystems, affecting military personnel and potentially civilians worldwide.