Why Visibility Matters More Than Ever in Telecom Security

Over the last few years, telecom security has received increased attention following incidents like Salt Typhoon and growing concerns around state-sponsored access to communications infrastructure. While that attention is warranted, one thing I've learned over years of researching telecom threats is that these activities don't suddenly appear when they make the news.

They're happening all the time.

The challenge is that most of this activity occurs inside infrastructure that was never designed to be visible to end users, notably the organizations being targeted, either. Unlike traditional cyber threats that are distributed through public networks and generate alerts, logs, or forensic artifacts on a device, telecom-based surveillance occurs within private mobile network infrastructure.

That visibility gap is what concerns me most.

For years, discussions around telecom security focused on theoretical vulnerabilities in protocols such as SS7 and Diameter. Researchers, operators, and security vendors understood that weaknesses existed, but there was often a tendency to view them as largely theoretical because operators lacked the capability to validate and measure exploitation in their own networks.

Today, we know that isn't the case.

The research report published by Citizen Lab and many others continues to demonstrate that sophisticated actors actively leverage telecom infrastructure to support surveillance operations. What makes these operations particularly difficult to understand is that these networks and the underlying ecosystem are complex and private. Access is limited. Data collection is challenging. Attribution takes time.

In many ways, telecom threat research requires a different mindset than traditional cybersecurity research. You're dealing with different protocols, different operational models, and entirely different sources of evidence. Progress is often measured in months rather than days.

But when enough evidence is collected, a clearer picture begins to emerge.

And that picture should concern enterprise security leaders.

The Network Knows More About Your Device Than Your Device Does

One of the biggest misconceptions in mobile security is that all meaningful activity occurs on the device.

In reality, a significant amount of private information about a mobile user exists within carrier infrastructure. Telecom networks continuously maintain information about subscriber identity, device connectivity, service usage and communications, roaming status, and location.

That information is necessary for the network to function. The problem is that if an actor gains access to telecom infrastructure, they have the ability to gain access to information and capabilities that are invisible to the user.

Location tracking is one of the most common examples.

When people think about location surveillance, they often think about malware or spyware installed on a device. But there are forms of location tracking that occur entirely within telecom infrastructure. The network itself maintains information about where a device is connected and its pattern of movement. For a sophisticated actor operating within telecom infrastructure, that information can become a goldmine of surveillance data.

The mission is straightforward: determine the mobile network identifier of the target, where they are, where they're going, and what they're doing right now. That is very different from the way most organizations think about mobile security.

Why Traditional Mobile Security Doesn't See Everything

When I speak with enterprise security teams, one of the most common assumptions I encounter is that mobile risk begins and ends with the device.

Organizations deploy MDM platforms and mobile threat defense solutions, and they enforce device policies and compliance controls. But telecom-layer threats highlight an uncomfortable reality: not every mobile threat touches the device in a way that traditional security controls can detect.

Some telecom-based attacks occur entirely within signaling infrastructure and network systems. Others interact with the baseband or layers of the device stack that are beyond the reach of traditional security products. In fact, sophisticated surveillance actors operate across both environments simultaneously. They leverage telecom infrastructure for visibility and intelligence gathering while also pursuing opportunities for device-level compromise to achieve operational success.

From a defensive perspective, the lesson is clear.

Device visibility matters.

Network visibility matters.

Threat intelligence matters.

Organizations that understand all three are generally in a much better position to understand their overall risk.

Geography Matters More Than Most Organizations Realize

One finding that emerges from telecom threat research is the geographic nature of risk.

The telecom surveillance landscape is inherently geographic. Not all operators are the same, nor are their international roaming partners. Exposure is driven by differences in supply chain vendors, interconnection relationships, regulatory oversight, and the level of threat actor activity in each country.

As the sources of attacks are identified, concentration of surveillance activity is mapped, and attribution is linked, patterns begin to emerge. And those patterns have practical implications for enterprises seeking to manage their risk exposure.

If your organization has employees who travel internationally, maintains operations in multiple countries, or supports personnel working in sensitive regions, understanding telecom-related risks becomes increasingly important.

Historically, many organizations viewed telecom surveillance as a concern primarily for diplomats, intelligence personnel, or senior executives. But that perspective is increasingly outdated. The question is rarely whether someone holds an executive title. It’s whether they possess information, access, relationships, or visibility that makes them valuable to an adversary.

The targets we observe are often much broader. Security professionals, government employees, financial services personnel, critical infrastructure operators, journalists, activists, and employees working in sensitive industries may all become targets depending on the objectives of the actor involved.

Telecom Supply Chain Risk Is Real

Telecom security discussions often focus on threat actors, but another important consideration is the infrastructure itself.

Telecom networks rely on complex supply chains involving hardware vendors, software providers, managed services, and third-party support organizations. Like any other critical infrastructure environment, those relationships introduce risk.

Over the last several years, concerns surrounding infrastructure vendors, supply chain exposure, and operator access control over them have become increasingly prominent. Governments around the world have debated the risks associated with specific telecom equipment providers, while operators have been forced to evaluate security alongside cost and operational requirements.

For enterprises, this introduces another layer of complexity.

Organizations operating internationally often have little visibility into, and no control over, the infrastructure choices made by local operators. Employees may purchase services from carriers based solely on coverage, pricing, or convenience without understanding the underlying risk profile of those networks.

Threat intelligence can help provide context here as well. Understanding operator exposure, infrastructure vendors, network interconnect partners, geographic risk, and known threat activity can help organizations make more informed decisions about connectivity and travel.

Perfect security does not exist, but informed risk management is always preferable to operating blindly.

We've Made Progress, But The Threats Haven't Gone Away

I often describe telecom security several years ago as the Wild West. There was growing awareness that significant threats existed, but limited visibility into the scale of the problem, a lack of accountability, and inadequate regulatory oversight left operators with few options to counter them.

As industry focus on security increased, operators began deploying signaling firewalls and investing more heavily in security controls. Threat visibility was vastly improved, and operators deployed effective countermeasures. Today, operators are far more security-conscious than they were five or six years ago, and that's a positive development. However, at the same time, threat actors continued to evolve.

The underlying protocols still exist, as do the financial incentives for commercial surveillance vendors. Sophisticated actors continue to look for opportunities to gain access into operator infrastructure.

Like every other area of cybersecurity, telecom security remains an ongoing contest between defenders and adversaries. The difference is that most people never see that contest taking place.

Turning Telecom Intelligence Into Action

For CISOs and security leaders, the goal should not be to become experts in telecom signaling protocols. Most organizations simply don't have the resources, relationships, or personnel to provide these capabilities. Instead, the focus should be on visibility.

What type of threats are happening, and what are the patterns?

When and where are they occurring?

Which operators, networks, and regions are associated with elevated risk?

How does that risk affect employees, executives, travelers, and business operations?

These are ultimately intelligence questions.

The more visibility organizations have into telecom threats, the better positioned they are to make informed decisions about travel, connectivity, mobile security controls, and incident response.

This is one of the reasons telecom intelligence has become an increasingly important component of the broader mobile security conversation. Without visibility, organizations are forced to make decisions based on assumptions. With visibility, they can make decisions based on evidence.

What CISOs Should Do Next

The most important takeaway I have from years of telecom threat research is simple.

You cannot protect against threats you cannot see.

Mobile security is not solely a device problem, nor is it solely a network problem, or even an identity problem. It is a combination of all three.

There is still significant work ahead, but for CISOs and threat intelligence teams looking to strengthen their mobile security programs, the starting point remains the same as it has always been: Gain visibility first.

Everything else follows from there.

Learn More

iVerify Threat Intelligence helps organizations understand telecom-layer threats, operator risk, geographic exposure, and mobile surveillance activity through intelligence built specifically for today's mobile threat landscape. Talk to us to learn more.