In a new article published via Medium, Gabriel Geiger and Crofton Black of Lighthouse Reports have elaborated on their recent research into the murky world of telecoms intermediaries. Their analysis is based on 100 million packets of SS7 signaling data leaked from Fink Telecom Services (FTS), a comms provider associated with surveillance services. The data represented traffic conveyed over the course of a single week. Geiger and Black discovered the following about the SMS messages included within the leaked data.
- There was extensive use of malformed packets that were presumably intended to slip through firewalls and thus deliver an SMS message without incurring a charge.
- Such malformed packets were used for SMS messages from some of the world’s best-known online brands, including Google, TikTok, Signal and WhatsApp.
- A European surveillance business routinely used unencrypted SMS messages to communicate updates about the movements of people they were tracking.
The leaked data also included about 150 attempts to determine the location of specific phone users by pinging the user’s Cell ID. Some of these packets were also malformed; it is safe to assume this was also motivated by a desire to defeat firewalls implemented by telcos. One of the people whose location was determined using this method is an employee of a business that sells the ability to locate phone users using SS7. That might have been an instance of the business verifying that their surveillance technique delivers accurate results.
More naive readers of Commsrisk may be shocked at the extent to which the world’s richest companies rely on dodgy providers of comms services; other readers will be pleased that the truth is finally being made public through research like this. The data included in this analysis covered several hundred thousand SMS messages sent for two-factor authentication (2FA). Per the Sender IDs used for these messages:
- 100,000 SMS messages went sent by Google to communicate 2FA codes and password reset notifications. These were sent to phone users across 80 countries.
- 50,000 2FA messages were sent for Meta’s Facebook, Instagram and WhatsApp services. These were sent to phone users across 90 countries.
- 40,000 2FA messages were sent by Tinder to users across 90 countries.
- There were also many thousands of 2FA codes for LinkedIn, Uber, Signal, TikTok and Revolut.
- In addition to the 2FA codes, other SMS messages included the details of bank transfers and online purchases.
Industry insiders know that many of the businesses which send large volumes of SMS messages are so fixated on getting the cheapest possible price that they absolve themselves of responsibility when corners are cut by the comms providers they use. It does not help that industry self-regulation of bulk SMS messaging has been such a conspicuous sham. It will be up to big businesses to drive change by being more selective when choosing who will provide them with comms services. For example, Meta told Geiger and Black that they “had reminded partners of contractual obligations to ensure privacy and security when delivering SMS messages to Meta users” and they “had notified its partners they shouldn’t subcontract or otherwise engage with Fink Telecom when providing services to Meta or any of its affiliates”. The authors are too polite to make the observation, but the silence from Google was deafening, not least because Google was sending twice as many messages via FTS than Meta.
“Using leaked data to examine vulnerabilities in SMS routing and SS7 signalling” By Gabriel Geiger and Crofton Black is available here.



