China may have found a backdoor to track the phones of Americans traveling abroad, exploiting signals from phone networks in the Caribbean to potentially track U.S. phones and intercept their messages.
Gary Miller, a Washington state-based former mobile network security executive, described China’s surveillance behavior in an interview with The Guardian, it reported Tuesday.
Miller said he believes China has routed mobile signaling messages through Cable & Wireless Communications (Flow) in Barbados and Bahamas Telecommunications Company (BTC) to primarily target U.S. mobile users traveling abroad.
Phone users are not aware of the the signaling messages being sent to their mobile devices, but telecoms operators across the global network use these messages to locate mobile phones, link mobile phone users to one another and assess roaming charges. Miller told the Guardian that these signaling messages can also be used for more nefarious purposes, including allowing China to track, monitor, or intercepting mobile phone users communications. The potential misuse of signaling messages is a decades-old vulnerability for mobile networks, according to the Guardian.
“Government agencies and Congress have been aware of public mobile network vulnerabilities for years,” Miller said. “Security recommendations made by our government have not been followed and are not sufficient to stop attackers.”
Miller said in 2018, China conducted the largest number of apparent surveillance efforts using these signaling messages. He said many of the attacks were routed through China Unicom, a Chinese state-operated telecommunications company, to U.S. 3G and 4G mobile networks. The high number of signaling messages, being routed through the Chinese state-operated company, could be indicative of an espionage effort.
While Miller observed this high number of signaling message efforts through China in 2018, China appeared to significantly reduce those signaling message efforts in 2019. At the same time China lowered its signaling messages, the Caribbean island nation of Barbados displayed a sharp increase in signaling messages to 3G networks.
“China reduced attack volumes in 2019, favoring more targeted espionage and likely using proxy networks in the Caribbean to conduct its attacks, having close ties in both trade and technology investment,” Miller told the Guardian.
It is unclear how many U.S. phone users may have been targeted through Chinese and Caribbean signaling messages in 2018 and 2019, but Miller said he believes tens of thousands of US mobile users were targeted by the surveillance efforts directed by China from 2018 to 2020.
Miller said signaling messages sent to tens of thousands of phone users qualifies as mass surveillance, whereas signaling messages to only a few users would be more indicative of an effort to specifically target one or two high-profile individuals.
Miller said there were some instances where the same users who were targeted by China Unicom, were also simultaneously targeted by the two Caribbean-based telecoms companies. Miller said those instances of dual targeting occurred dozens of times over a one to two-month period, which Miller said is a “strong and clear” those phone users were targeted with coordinated attacks, rather than general mass surveillance efforts.
U.S. phone companies have the ability to block China’s surveillance efforts through these signaling messages, but Miller said they have made few efforts to do so.
Miller also said, “No one in the industry wants the public to know the severity of ongoing surveillance attacks. I want the public to know about it.”
The U.S. has been increasingly concerned with Chinese efforts to exploit the vulnerabilities of mobile networks and apps to spy on people. The popular video-sharing TikTok app, operated by the Chinese-owned company ByteDance, reportedly circumvented Google’s limits on how apps track user data and gathered the media access control (MAC) addresses of its Android app users. MAC addresses are considered personally identifiable information, as defined under the Children’s Online Privacy Protection Act.