Wave of new cybersecurity threats

BarcelonaFrom somewhere in the world, someone can know at all times where you are. Not because they have infected your phone with spyware, accessed your Google Maps history, or convinced you to install anything. They only need to exploit the loopholes of an architecture designed 50 years ago to interconnect the mobile telephony networks of different countries.

The spies who live in roaming

The Citizen Lab at the University of Toronto, the same research group that in 2022 documented the espionage against Catalan independence supporters with the Pegasus software from the Israeli group NSO, has now published a report on two campaigns of surreptitious geolocation of mobile phones that exploit structural vulnerabilities in the SS7 and Diameter protocols.

SS7 is the protocol that since the 70s has made international roaming possible: using our phone with operators from other countries. It was designed when there was trust between companies: it has no mechanisms to verify where orders come from, and anyone with access to the signaling network can impersonate a legitimate operator to obtain the position of a terminal. Diameter, created for 4G, added encryption and authentication, but many operators have not activated all protections, and since 4G must be compatible with previous generations, it is enough to keep changing protocols until the loophole is found. On paper, 5G improves security, but most current 5G networks still rely on 4G infrastructure and additional protections are often optional.

One of the actors, identified as STA1 in the report, is a platform linked to Circles, a company that the sector considers related to the aforementioned NSO group. The researchers assure that in November 2024 it carried out a tracking operation against a high-value target through the networks of operators from Israel and the United Kingdom, among others. A second actor (STA2) went a step further, sending SMS messages with hidden commands to the SIM card that transform the device into a localization beacon. The user sees nothing in the inbox; the mobile simply obeys and sends its location to the attacker.

The irony is that the spies exploit a flaw in the very networks that, by definition, already know where we are – they have to know at all times which antenna to send us the bits – but which can only provide this information to the authorities by court order.

The discovery by Citizen Lab is concerning not so much for the novelty of the vulnerabilities, but also for the growing sophistication of the actors exploiting them: the same operator identities are reused for years in persistent campaigns that go unnoticed. As long as there is no strict regulation and mandatory adoption of security standards, mobile networks will continue to be a very practical global surveillance platform for those who know how to exploit it.

'Zombie routers' for a future war

In another area, 16 cybersecurity agencies from 10 allied states –including the Spanish National Cryptologic Centre (CCN)– have warned of another case on a very different scale. The joint alert describes an operation attributed to China-linked actors that consists of silently infecting millions of consumer devices: routers for home use, video surveillance cameras, connected appliances... The goal is not to steal data now, but to deploy a latent army.

Instead of maintaining an expensive, visible, and easily blocked attack infrastructure, these actors compromise devices that their owners never update. Each infected router becomes a node in a captive network that redirects malicious traffic and becomes invisible to traditional detection systems: when one node is blocked, another automatically replaces it. This is not an active threat, but rather preparation: in the event of a conflict, these networks could be activated to disable critical infrastructure. Your router could already be part of an arsenal available to a foreign government.

The authorities make specific recommendations to users: regularly update the software of routers and connected devices; change default passwords, those found on a sticker under the device; disable remote access if not in use; and apply the principle of "if it doesn't need to be connected, disconnect it." But it is known that few consumers are so systematic.

The authorities hold their ground

A certain comfort is that authorities can be as stubborn as attackers. To give an example, the Cybersecurity Agency of Catalonia assures that in 2025 it managed a total of 6,544 incidents against the digital infrastructure of the Generalitat – double that of the previous year – of which 26 were classified as serious. The most affected areas were universities, the healthcare sector, and the administration itself.

Another example is Europol's PowerOff operation: two weeks ago, a police action with the participation of 21 countries took down 53 domains linked to rental DDoS services, platforms that allow any interested client to pay to paralyze a company or service. Four people were arrested and data from more than three million accounts were seized. The operation has been active since 2017 and claims to double results in each new action. This police work functions thanks to cross-border coordination, which depends on political will. The problem is volume: attacks grow exponentially while the response moves at the pace of judicial proceedings.

Your company is spying on you

Privacy threats sometimes come from someone you know: your company. Meta Platforms has just launched the internal Model Capability Initiative (MCI) program, which captures the mouse movements, keystrokes, and screen snapshots of its employees' computers in the US to train AI agents. When a worker asked CTO Andrew Bosworth if it was possible to opt out, the answer was a resounding 'no'. The only exception is the European GDPR, which prevents the program from being applied on our continent. Experts agree that the practice is probably legal in the US, but consent obtained under threat of dismissal is not genuine.

The lesson learned: separate work life from personal life, don't check private email on your work computer, and don't leave personal files on the company server. When I was able to consult the data that some criminals stole in 2022 from the Consorci Sanitari Integral, I was more impressed by the amount of domestic information about employees (schoolwork, family vacation bookings) than by the patients' health data. They are still circulating on the dark web, available to anyone who wants to buy them.