Saudi Arabia may be spying on its citizens via US mobile networks

Its telecoms are requesting suspicious amounts of data from US mobile carriers.

Data shared by a whistleblower suggests Saudi Arabia may be using a weakness in mobile telecom networks to track its citizens in the US, The Guardian reports. The data shows that over a four-month period, Saudi Arabia's three biggest mobile phone companies sent 2.3 million requests for Provider Subscriber Information (PSI). Normally, that data is used to help foreign operators register roaming charges, but the high volume of requests could also give the Saudi telecoms enough info to track users within hundreds of meters of accuracy.

This takes advantage of long-standing vulnerabilities in a global messaging system called SS7, which routes mobile calls when a user from one country is traveling in another. According to the data shared with The Guardian, the Saudi telecoms sent millions of these PSI SS7 requests to US carriers, including AT&T, T-Mobile and Verizon (Engadget's parent company) between November 2019 and March 1st -- sometimes requesting data as often as two to 13 times per hour.

It isn't clear if the Saudi telecoms were spying on behalf of the government, but the kingdom doesn't have the best track record. Earlier this year, The Guardian reported that Amazon's Jeff Bezos's phone was hacked via a WhatsApp message from the personal account of Prince Mohammed. Twitter has banned thousands of accounts linked with a state-backed effort to promote the Saudi government's message, and the Department of Justice has charged former Twitter employees with spying for Saudi Arabia.

"I think they are surveilling not only those they know are dissidents, but those they fear may deviate from the Saudi leadership," Andrew Miller, a Middle East expert and former member of Barack Obama's national security council, told The Guardian. "They are particularly worried about what Saudi nationals will do when they are in western countries."

Ron Wyden, a Democratic senator from Oregon, previously warned the Federal Communications Commission (FCC) that "malicious attackers" were exploiting SS7 vulnerabilities.

In a statement to The Guardian, Wyden wrote, "Because of [Pai's] inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country."