Inside the Mobile Network Backdoor Iran Used to Track US Troops

Inside the Mobile Network Backdoor Iran Used to Track US Troops

When the joint US-Israeli air campaign against Iran commenced at the end of February 2026, the real-time location of US military personnel and contractors in the Middle East was already flashing on monitors in Tehran. They did not need to hack the Pentagon, nor did they require sophisticated military-grade spyware to penetrate secure devices. Instead, Iranian intelligence exploited a decades-old vulnerability built into the very plumbing of global telecommunications, combined with the unregulated, hyper-precise tracking data generated by smartphone advertising software.

This systematic exploitation was exposed through telecom traffic logs analyzed by the Mobile Surveillance Monitor research group. The data revealed an unprecedented surge in specific, targeted location requests directed at US troops and contractors roaming on Middle Eastern mobile networks during the build-up and early phases of the conflict. While Washington spends billions of dollars hardening tactical communication channels, the commercial smartphones resting in the pockets of its personnel have become an open backdoor. This vulnerability allows adversaries to pinpoint troop locations, map out contractor lodging, and potentially feed targeting data directly to drone and missile units.

The Flaw in the Global Roaming Machine

The primary vector for this tracking campaign relies on Signalling System No. 7, commonly known as SS7. Designed in the 1970s, SS7 is the foundational protocol that allows different global carrier networks to talk to one another. Its primary job is to route calls and text messages, and critically, to manage roaming. When you step off a plane in Bahrain or Iraq and turn on your phone, your home network needs to know where you are to route your calls. To do this, networks query each other using SS7 packets.

The fundamental problem with SS7 is trust. The protocol was built for an era when only a handful of state-controlled telecom monopolies existed. It does not authenticate who is sending the request. If an operator has access to the SS7 network, the system assumes their queries are legitimate.

Iranian mobile operators, which maintain standard roaming agreements with carriers across the Persian Gulf and the wider Middle East, possess this access. During the early stages of the 2026 conflict, Middle Eastern telecom networks fended off a massive wave of what researchers call SS7 pings—queries designed to locate specific international phone numbers.

These were not random, automated network scans. According to Gary Miller, a senior research fellow at Citizen Lab and founder of the Mobile Surveillance Monitor, the traffic showed a distinct technical fingerprint linked to an Iranian mobile operator. The queries specifically targeted individual devices belonging to US military personnel and defense contractors.

When a phone receives an SS7 ping, it does not ring, show a notification, or leave any trace on the user's screen. The local network simply answers the query, providing the cell tower coordinates currently serving the device. For an adversary, this means continuous, real-time tracking of a target's position down to a specific base, street, or building.

The Ad-Tech Intelligence Pipeline

Where the aging infrastructure of SS7 ends, the highly modern, commercial advertising ecosystem begins.

In regions like Iraqi Kurdistan, where direct SS7 targeting faced technical blockades by local telecom operators, Iran-linked actors relied on a different tracking method: Mobile Advertising IDs.

Every modern iOS and Android device generates a unique, anonymous alphanumeric string used by advertisers to track user behavior across apps. This identifier is broadcast to ad exchanges thousands of times a day, bundled alongside GPS coordinates, device models, and local Wi-Fi connection data.

This mechanism allows commercial software to aggregate and sell location histories on the open market. US intelligence agencies have used this exact method for years to track targets abroad. Now, foreign adversaries are using the same commercial databases against the US.

In northern Iraq, actors tied to Tehran used commercial advertising databases to identify and monitor specific hotels and residential compounds housing US government employees and military contractors. By drawing virtual boundaries—geofences—around these locations, they harvested the unique advertising IDs of the smartphones inside. Once an ID is associated with a specific individual, that target can be tracked wherever they travel, long after they leave the base.

A Failure of Operational Security

The vulnerability is not a secret. For over a decade, cybersecurity watchdogs and members of Congress, such as Senator Ron Wyden, have warned successive administrations about the threat posed by SS7 exploitation and unregulated commercial location data. Yet, the Pentagon has struggled to enforce strict device policies in active theaters of operation.

US Central Command acknowledged the threat in an April 2026 report to Congress, stating it had received multiple reports of adversaries exploiting commercial data to target US personnel. CENTCOM claims to have implemented unprecedented force-protection measures to mitigate the threat. However, completely securing a modern military force from these vectors is nearly impossible under current rules.

Soldiers, contractors, and logistical personnel routinely carry personal smartphones alongside their issued, secure communication gear. Operational necessity often requires local coordination, forcing personnel to connect to local networks or use commercial transit apps. The resulting digital exhaust is a permanent vulnerability. Even if a soldier turns off location services, the underlying SS7 roaming protocol still transmits the phone's approximate location to the nearest cell tower just to maintain a connection.

While US officials publicly downplay the idea that this digital tracking directly led to successful missile or drone strikes on Gulf bases, the correlation is difficult to ignore. During the conflict, Iranian drone and missile strikes hit several hotels and civilian locations across Iraq, Bahrain, and other Gulf states where US personnel were known to reside.

Closing the Roaming Loophole

Fixing this exposure requires addressing two highly distinct, highly stubborn industries: global telecommunications and the unregulated data broker market.

On the telecom front, the transition to 5G networks offers some security improvements, but the legacy SS7 and Diameter protocols used for 3G and 4G roaming will remain active for years to support global backward compatibility. Local telecom operators in allied countries must implement strict signaling firewalls to filter out suspicious location queries from foreign carriers.

On the domestic front, legislative efforts to stop the bleeding have repeatedly stalled. Representative Pat Harrigan has proposed legislation to prevent tech companies from selling the location and digital footprint data of US government and military personnel. But until the sale of commercial location data is outright banned or heavily restricted, foreign intelligence agencies will continue to buy their way into the pockets of American troops.

The battlefield is no longer defined strictly by physical perimeters. As long as personal mobile devices remain active in conflict zones, the network infrastructure we take for granted will remain a potent, low-cost weapon for our adversaries.

JH

James Henderson

James Henderson combines academic expertise with journalistic flair, crafting stories that resonate with both experts and general readers alike.