Financial Times: US military smartphones targeted through roaming and ad tech
Contact: Lexi Kranich (814) 380-4408
WASHINGTON, D.C.—Middle Eastern mobile networks were repeatedly hit with cyber attacks to track the locations of US personnel and contractors during the Iran war, according to telecoms data and people familiar with the matter.
The prospect that adversaries were stalking US forces has alarmed some American lawmakers, who have warned roaming systems and smartphone ad tech have left the military vulnerable to attack.
The malicious tracking attempts came in the build-up to the US-Israeli assault on Iran in late February and continued in the early days of the war, when Tehran retaliated with missile and drone strikes against US forces and military installations around the region.
The data, shared with the FT by the Mobile Surveillance Monitor research project, shows regional telecom networks fending off a wave of requests, called SS7 pings. These sought to pin down the locations of specific phones roaming outside their home networks, in what two cyber security experts who reviewed the data said suggested a co-ordinated campaign.
Officials in the Gulf suspected Iran or its allies of exploiting roaming agreements with local phone providers to try to locate US personnel, one person familiar with the matter said.
Separately, a second person — a US official who spoke on the condition of anonymity — said they believed actors linked to Iran had abused commercially available advertising databases to track phones in Iraqi Kurdistan.
“Iran absolutely has capabilities to get real-time, immediate, and continuous location information,” said Gary Miller, a senior research fellow at cyber security watchdog Citizen Lab, who reviewed the data. “It would surprise me very much if Iran were not using SS7, or mobile network access in the region, to track US users.”
Tehran and Iran-backed militias hit several hotels in Iraq, Bahrain — where the US Navy’s Fifth Fleet is based — and elsewhere in the Gulf during the war, in some instances injuring US contractors and personnel.
Experts said further investigation is needed to attribute specific attacks to digital surveillance, which would be one of several intelligence streams used to find targets — from human spotters to the hotel reviews and Facebook posts that some personnel left during deployments.
But US Central Command told Congress in April that it had “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theatre”.
Ron Wyden, a Democratic senator from Oregon who has warned about both these vulnerabilities, said this would mark the first time US adversaries used commercial location data to target American personnel in war.
“For years I’ve warned both Democratic and Republican administrations about the national security threat posed by foreign adversaries tracking the phones of US personnel,” Wyden told the FT.
Centcom said it “took unprecedented force-protection measures that we are unable to discuss in order to ensure that our forces remain safe”. A US official added that “any claim suggesting data tracking played a significant role in attacks . . . is a departure from the facts”.
SS7 requests exploit a vulnerability ingrained in the early infrastructure of phone networks, allowing an operator and others with legitimate access to obtain a rough location of phones.
Iranian mobile phone providers have roaming agreements across the Gulf and the Middle East, giving them the technical ability to send SS7 pings beyond their borders.
Tehran has been reported to have used that method in the past, according to Wyden, who has cited a presentation by the Department of Homeland Security that identified Iran as among the “primary countries” using SS7 to target “US subscribers”.
At least some of the blocked tracking attempts in the data can be linked to an Iranian mobile phone operator, creating a fingerprint that matches several others, according to Miller. “This appears to be very specific user targeting,” he said. “They are targeting specific devices.”
The Iranian embassy in London did not immediately respond to a request for comment.
In several countries the US dispersed personnel to hotels and other less prominent installations in order to protect them.
In Bahrain, for example, a missile hit the Manama Crowne Plaza hotel, which received multiple contracts to provide lodging, laundry and other services to the defence department, according to a government expenditure database.
A Bahraini government spokesperson said the country’s telecoms infrastructure “remains resilient”.
“All operators . . . are required to take measures to implement the necessary controls, including firewalls and other protections,” the spokesperson said. “There are always attempts to breach network security globally.”
The suspected surveillance was not limited to this. In Iraqi Kurdistan, Iran is suspected of using commercially available software designed to provide tailored advertising to identify hotels housing US government staff and contractors, said one of the people familiar with the matter.
The abuse of ad tech is well known in national security circles, and has been used by the US for surveillance. Advertising IDs assigned to smartphones by the device manufacturer have made it possible for years to locate a specific phone or a cluster of devices.
Pat Harrigan, a Republican lawmaker from North Carolina on the House armed services committee, said he had not been briefed on specific instances when Iran had used data tracking to target US troops, but was concerned.
He is proposing legislation to stop tech companies from selling the “digitalised footprint” of US government employees.
“The capability and the threat . . . exists,” Harrigan told the FT. “If it continues to be exploited, and it’s exploited properly, it could be catastrophic.”
The US has failed to close this loophole in the phones the military issues to its own personnel, according to a 2024 review launched by the DoD’s Office of the Inspector General.
The US intelligence community had been grappling with the problem for more than a decade, said Michael Stokes, a former CIA official and vice-president at Virginia-based Veilant, which sells secure communications options.
The challenge, he said, was that digital tracking does not require the phone itself to be compromised: smartphones leak vast amounts of personal data — “a digital exhaust” — that can be analysed for location, contacts and even step counts.
He said government employees often eschewed secure phones, sometimes built for special missions or sensitive postings, for their own smartphones — or carried both — leaving a trail.
“This is a national security exposure created by unmanaged phones, commercial ad tech, location data and, of course, operational necessity colliding with the realities of the field,” Stokes said.