Chinese telcos provide backbone for US allies’ mobile traffic, raising espionage concerns

Over 60 mobile operators from 35 countries, including U.S. allies and a Five Eyes intelligence partner, use Chinese state-owned telecom infrastructure to route sensitive mobile traffic through networks, subjecting them to potential interceptions from Beijing, according to a report released Thursday.

The analysis from mobile security firm iVerify said major Chinese telecom transit providers — including China Mobile International, China Telecom Global and CITIC Telecom — facilitate possible “man in the middle” access to sensitive mobile communications in transit, even if a target is not physically using their phone within Chinese borders. Security researchers Daniel Kelley and Gary Miller also contributed findings.

“Interconnect services provided by China operators include the transport of highly sensitive signaling data used in device authentication, call setup, SMS, network location updates, setting up data sessions and transporting internet data for international travelers,” the report said.

Countries identified in the findings include close U.S. security partners like Japan, South Korea, Saudi Arabia and New Zealand, whose mobile networks were found to rely on Chinese routing infrastructure for portions of their international traffic. Taiwan, a frequent target of Chinese cyber operations, was also found to have multiple operators using Chinese-owned signaling routes.

The analysis used data from the GSM Association — a global industry organization representing mobile network operators and related firms — that was provided through the Mobile Surveillance Monitor Project, an iVerify spokesperson said. 

The report said the telecommunications nexus, as architected, could enable further Chinese spying.

“Dependencies on mobile operators and their users passing internet and communications traffic through China’s interconnect infrastructure reveal tools for state-sponsored surveillance,” it said. “Unless addressed through policy intervention, the integration of these networks into global telecom infrastructure poses a direct threat to the privacy and security of billions of mobile users worldwide.”

The technical vulnerabilities stem from long-existing telecom routing protocols — such as SS7 and Diameter — that remain widely used to enable mobile roaming, but were never designed with encryption or authentication in mind. 

These weaknesses, long known to telecom insiders, have been exploited by both state-sponsored threat groups and private surveillance vendors to track user locations, intercept communications and deliver spyware to targeted devices.

In several instances, iVerify found mobile operators that both rely on Chinese interconnect providers and rely on core networking equipment from Huawei or ZTE — two vendors barred from doing business in the U.S. by the Federal Communications Commission. One such operator, Tampnet, provides maritime communication needs for offshore oil platforms and was found to use Huawei equipment to manage subscriber data and routing.

The findings come amid heightened U.S. efforts to scrutinize Chinese technology and telecom firms’ linkages to domestic critical infrastructure. The FCC said last month that it’s probing a group of Chinese communications providers that the agency says could still be operating in the U.S. despite prior restrictions being levied on them. Huawei and ZTE are among those being investigated.

Telecom security became top-of-mind last year following the discovery of a vast hacking campaign deployed by Salt Typhoon, a Chinese cyberespionage unit, which burrowed into the systems of dozens of telecom companies in the U.S. and around the world.

In response to the Salt Typhoon intrusions, the Commerce Department moved to jettison the remaining American operating units of China Telecom, the New York Times reported in December. The current status of those actions isn’t clear.