A new attack technique is exposing just how vulnerable global mobile networks remain in 2025. Cybersecurity firm Enea has discovered a surveillance operation that bypasses SS7 firewalls by exploiting a subtle weakness in the TCAP encoding layer—allowing stealth location tracking of mobile users across borders.
The method? Tampering with the IMSI field in ProvideSubscriberInfo (PSI) requests to hide it from detection. Many mobile operators’ SS7 stacks simply fail to decode the malformed tag, allowing unauthorized tracking messages to pass security controls.
In this episode, we cover:
- The technical anatomy of the IMSI hiding exploit
- How this attack evades standard SS7 security checks
- The surveillance firms and platforms involved—WODEN, ASMAN, HURACAN, and others
- Broader SS7 weaknesses: lack of encryption, lack of authentication, and global trust architecture
- The disturbing truth: most mobile networks still depend on legacy protocols from the 1970s
- Why users can’t opt out—and no app can protect you
We also examine the countermeasures: advanced signaling firewalls, protocol filtering, TCAP signing, and why even now, SS7 remains irreplaceable due to the persistence of 2G/3G roaming infrastructure.
This isn’t a theoretical vulnerability—it’s a real-world surveillance method in use today, targeting phones across continents without users ever knowing.
