zzz Some related new material
The EFF recently published an article about the global
cellular networking system, SS7:
https://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable-and-telecoms-must-acknowledge
About location data specifically, they cite this CitizenLab report which dives into a lot of detail:
https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/
If I understand correctly, SIM location data is often sold through the "global SS7 or Diameter network backbone [...] known as the IP Exchange (IPX)"
Through IPX, SIM providers can sell Global Title (GT) leases to surveillance actors.
My understanding is that GTs can include subscription-basis access to location data.
is possible for mobile telecommunications companies to ‘lease’ access to their networks. This has the effect of significantly expanding the number of companies which may offer access to the IPX for malicious purposes. Moreover, a lessee can further sublease access to the IPX with the effect of creating further opportunities for a surveillance actor to use an IPX connection while concealing its identity through a number of leases and subleases.
In more detail, telecommunications operators in a given country apply for, and are allocated, bulk telephone number ranges according to a numbering plan as administered by their national telecommunications regulatory authority. These ranges are often used for a variety of purposes such as fixed line telephones, mobile numbers, or toll free numbers. Once the operator is allocated numbers, they can assign and use a portion of numbers as addresses, known as Global Title Addresses (GT), to equipment in their networks that are needed to operationalize domestic and international roaming with other network partners. This includes equipment such as the Visitor Location Register (VLR), Home Location Register (HLR), and other core network equipment. [...]
Focusing on HLR as an example:
The effect is twofold: first, the surveillance actors can directly request and receive geolocation information associated with the IMSI of the targeted device. Second, because the source address must be populated in signaling messages in order to route the message back to the source, it also leaves a fingerprint of the attack. This means that network firewalls operated by telecommunications providers can monitor the network from which the HLR lookup and location tracking messages were sent.
Some hearsay from CitizenLab about the monthly cost of such a subscription:
GT leasing rates have been removed from most websites due to the perceived negative implications of making networks available for a cost. However, the fees have traditionally been in the $5,000-$15,000 per month range.
Their source for that price range is a post on a freelance gig website from 2019