Signals at Sea, Cyber Obscura

Story opening

The escape was meticulous. Sheikha Latifa bint Mohammed bin Rashid Al Maktoum, daughter of the ruler of Dubai, had spent years coordinating with a former French intelligence officer turned yacht captain, Hervé Jaubert. On 24 February 2018, she crossed the border into Oman, jet-skied out to international waters, and boarded the Nostromo, a US-flagged, 100-foot vessel under Jaubert's command. The plan was Goa, then political asylum further west.

Eight days later, on 4 March, the Nostromo was boarded in international waters off the coast of Goa, roughly 50 nautical miles from shore, by Indian and Emirati special forces. Latifa was on a WhatsApp call when the boarding began. She said in the call that she could hear gunshots. Then the line went dead. The vessel disappeared from public maritime tracking for sixteen days. On 20 March, its Automatic Identification System (AIS) transponder reappeared at the UAE naval port of Fujairah.

The question that lingered was not what happened to her. The question was how, in international waters, an extraction force found a yacht that had no AIS pinging, no flight plan, and no obligation to be where it could be reached.

Case file

Public reporting on the case is necessarily partial. The UAE has not confirmed the operation. The vessel's captain, Jaubert, was detained briefly and released. Latifa was returned to Dubai, where she remains. There has been no court forum in which the technical methods of the boarding party were tested.

What the public record does have is a piece of telecommunications infrastructure that surfaced in a separate investigation two and a half years later.

In December 2020, the Bureau of Investigative Journalism, working with the Guardian, published an investigation into a small Channel Islands mobile carrier, Sure Guernsey, whose signalling access points had been leased by an Israeli surveillance firm called Rayzone Group. One of those access points, a Global Title in the format of a UK mobile number, was linked by industry sources to the apparent attempted location of Latifa during the escape. The targeting did not appear to focus on Latifa's phone. It appeared to focus on the phone of Hervé Jaubert.

Rayzone denied any role in the operation. The Bureau cited two industry sources for the rental of the specific Global Title, and characterised the technical reconstruction as plausible rather than confirmed. A separate investigation by Forbidden Stories and Amnesty International in July 2021, the Pegasus Project, listed Latifa's number, and the numbers of several of her advocates, as potential targets selected by NSO Group clients in the period after she went missing; the Pegasus Project material concerns spyware on individual devices, which is a different surveillance vector from the one used to find the yacht. Both vectors appear in the Latifa story. They are not the same mechanism, and the article that follows is about the first one.

The mechanism is older than the smartphone, older than the cellular network as most people use it, and older than the regulatory regime that was supposed to keep it private. It is the system that lets a phone in Goa receive a text message from a phone in Dubai. Its name is Signalling System No. 7.

Technical breakdown

Signalling System No. 7 (SS7) is the global signalling layer of the public switched telephone network. It is the set of protocols that tells one phone network how to reach a subscriber on another phone network: how to route a call, deliver a text message, charge a roaming visitor, or hand a session off between cell towers. It was standardised by the International Telecommunication Union in 1980. It was designed for an era in which the only entities connected to it were national telecommunications monopolies, all of whom could be trusted by virtue of being national telecommunications monopolies.

That assumption has not aged well.

The architecture is layered. The Message Transfer Part (MTP) handles physical transport and routing. The Signalling Connection Control Part (SCCP) handles end-to-end addressing using a value called a Global Title, which can be thought of as the international address of a piece of telecom infrastructure. The Transaction Capabilities Application Part (TCAP) handles database queries between network elements. Sitting on top is the Mobile Application Part (MAP), which is where the protocols a mobile network actually uses for roaming, location, and short message routing live. When a phone receives a text from another country, the message it receives is the visible top of a small cascade of MAP queries between the originating network and the home network of the recipient.

Two MAP entities are central to understanding what can be done. The first is the Home Location Register (HLR), the master subscriber database in the home network. It knows that subscriber number X belongs to subscriber identity Y, and it knows which network is currently providing service to Y. The second is the Visitor Location Register (VLR), the working subscriber database of the network actually serving Y at the moment, which knows the cell tower Y is connected to.

In a normal roaming scenario, when a text message from Dubai is sent to a phone roaming in India, the originating network asks the HLR in the home network something like, who is currently providing service to this subscriber; the HLR replies with a pointer to the VLR; the VLR provides the routing information needed to deliver the message. Each step assumes the asker is a legitimate carrier. There is no cryptographic check on whether that is true.

If a party with access to the SS7 network sends the same query for a subscriber they have no commercial reason to be asking about, the network answers anyway. If they send a query that asks the VLR to report the cell tower the subscriber is connected to, using the MAP function ProvideSubscriberInfo, the VLR returns a Cell Identifier. Cell Identifiers are not secret; cross-referenced against public databases of cell tower coordinates, they pin a phone to a tower, which on land is usually a few hundred metres of certainty and at sea is a different kind of fix entirely. There are not many cell towers on the Indian Ocean.

There are other queries that do other things. AnyTimeInterrogation, intended for legitimate operator diagnostics, returns the serving network and a coarse location. SendRoutingInfoForSM, intended to route inbound text messages, also reveals the serving network. UpdateLocation, intended to register a subscriber on a new network when they roam, can be abused to register a subscriber on an attacker's fake serving network, after which short messages destined for that subscriber are routed to the attacker until the legitimate device next attaches to a real tower. ProcessUnstructuredSS, intended for the menu-style codes that run mobile money services in much of the world, can be abused to push convincing fake prompts to a target's screen.

Defenders looking at this protocol family monitor for query traffic that is anomalous in three ways: queries from a Global Title that should not be asking about that subscriber, query rates that suggest reconnaissance rather than legitimate operations, and pattern combinations that suggest an attacker walking through the protocol family in sequence. Public reporting on the Latifa case provides a worked example. Across a short window, the captain's phone was apparently hit by a rapid burst of identity and location queries from multiple Global Titles leased across different jurisdictions; several were caught by signalling firewalls on the carriers they touched, and at least one, sent from a Global Title the defending network had no reason to flag, went through unlogged. The signalling firewall standards published by the GSM Association (GSMA), principally FS.11 and FS.07 for SS7 and the IR.82 family for SS7 and Diameter (the 4G/LTE successor protocol), describe what those defences look like. The standards are not secret. The reasons many operators do not implement them in full are commercial rather than technical: signalling firewalls cost money, and the entity bearing the cost is rarely the entity bearing the loss when an SS7 abuse succeeds.

Public demonstrations have made the abstract concrete. In December 2014, two German researchers, Tobias Engel and Karsten Nohl, presented separate analyses at the Chaos Communication Congress in Hamburg showing that an attacker with SS7 access could locate, intercept, and impersonate arbitrary subscribers. Nohl's work appeared on US television in 2016 in an episode of 60 Minutes, in which his team, with the consent of US Congressman Ted Lieu, tracked Lieu's iPhone, intercepted his texts, and recorded his calls.

The intervening decade has made clear that the access required to do this is no longer the exclusive preserve of state actors. Commercial surveillance vendors lease Global Titles from small operators in jurisdictions where the lease is not closely scrutinised, the Channel Islands among them, and run targeting campaigns from those leased points. The most recent and most carefully evidenced public account is the Citizen Lab report Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors, published 23 April 2026, which links observed real-world attack traffic to specific carriers and identifies two distinct surveillance campaigns operating across SS7 and Diameter, one of them combining signalling abuse with malicious binary SMS payloads. An earlier Citizen Lab report, Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure, sets out the location-disclosure mechanics in technical detail.

The same family of techniques has been used against money. In May 2017, Süddeutsche Zeitung reported that a coordinated attack against customers of the German operator O2 Telefónica had used SS7 routing manipulation to intercept the SMS one-time codes used to authorise online banking transactions, draining accounts at scale; O2 confirmed the SS7 component of the attack. In February 2019, Motherboard reported that a similar attack had succeeded against customers of UK challenger bank Metro Bank, in what was understood at the time to be the first publicly reported SS7 incident against a UK bank. The attacks did not depend on compromising any individual phone. They depended on the network believing that the attacker was a legitimate carrier asking a legitimate question.

What ties the bank fraud cases to the boat off Goa is not the target. It is the trust assumption. The protocol cannot tell why the question is being asked. It can only answer it.

Core lesson

There is a moment in the case where the framing inverts.

At the start of the story, the phone on the Nostromo is a lifeline. It is the object Latifa uses to message advocates. It is the object Jaubert uses to navigate. It is the line by which the people on the boat remain knowable as people, rather than dissolving into the indifferent expanse of an ocean crossing. By the end of the story, the phone is the reason the ocean stopped being indifferent.

The lesson is not that phones are dangerous. The lesson is structural. Every mobile device is, by design, an active participant in a global system whose foundational protocols were standardised in an era when the only parties that could ask the system anything were national carriers, and whose security model has not been rebuilt in the intervening decades because the parties that would pay for the rebuild are not the parties that bear the cost when the model fails. The phone on the boat did exactly what it was designed to do. So did the network underneath it. So did the leased Global Title in Guernsey, if the reconstruction is correct. Each component performed its specification. The surprise is in who turned out to be holding the other end of the wire.

Two readings follow. The first is technical literacy: understanding the layers. A phone is not just a screen and an app and a SIM. It is also a subscriber identity in a database, a registered location in a roaming partner's database, and an addressable object in a global signalling network with permissive querying conventions. Each of those layers can leak. The second is threat-modelling literacy: the question who could find me depends entirely on what kind of adversary is asking. An ad network can find someone with location SDK telemetry. A spouse with a shared account can find someone with platform-native location sharing. A state actor with access to the signalling layer can find someone with a query that does not require the target's phone to do anything other than be turned on.

The technology rarely fails in surprising ways. The surprise is in who turned out to be using it. The Nostromo is a clean example. SS7 was designed to do what it did off the coast of Goa. It just was not designed for the assumption that the asker had no business asking.

Glossary

Signalling System No. 7 (SS7): A family of telecommunications protocols, standardised by the International Telecommunication Union in 1980, used by phone networks to route calls, deliver text messages, and exchange roaming information. SS7 underlies most of the mobile signalling visible to ordinary users, although newer 4G and 5G networks also use a successor protocol called Diameter.
Global Title: The international address of a piece of telecommunications infrastructure on the SS7 network. A Global Title looks like a phone number but identifies a network element rather than a subscriber, and is used to route signalling messages between operators.
Home Location Register (HLR): The master subscriber database maintained by a mobile operator for its own subscribers. The HLR records which network is currently serving each subscriber, among other things.
Visitor Location Register (VLR): The working subscriber database maintained by the mobile network currently serving a subscriber, including subscribers who are roaming on that network. The VLR knows which cell tower a subscriber's phone is connected to.
Mobile Application Part (MAP): The application layer of SS7, where protocols specific to mobile services live, including the queries used for roaming, short message routing, and location updates.
Cell Identifier: A code identifying a specific cell tower or sector. Cell Identifiers are not secret; cross-referenced against public databases of tower coordinates, they yield a geographic location accurate to a few hundred metres on land.
Diameter: The successor signalling protocol used in 4G and 5G mobile networks. Diameter has stronger authentication than SS7 but inherits many of the same trust assumptions, and the two protocols often interwork at network boundaries.
Two-Factor Authentication via SMS (SMS-2FA): A method of confirming a user's identity by sending a one-time code to their phone by text message. SMS-2FA depends on the phone network delivering the message only to the intended recipient, an assumption that signalling abuse can break.
Automatic Identification System (AIS): A maritime tracking system used by vessels to broadcast their identity, position, and course to other vessels and to coastal stations. AIS is a separate system from cellular signalling; the Nostromo's AIS reactivation at Fujairah is what publicly placed the vessel back in the UAE.

Suggested viewing

Tobias Engel, SS7: Locate. Track. Manipulate, 31st Chaos Communication Congress, December 2014. The original live demonstration of location-tracking through the SS7 protocol family.

Return to the case

The Nostromo's AIS transponder did not need to be reactivated for the boat to be found. AIS reactivation was the part of the operation that made the recovery legible to the public after the fact. The part that actually located the yacht in international waters was, on the available evidence, the part that nobody on board could turn off and nobody on the operator side had any reason to refuse.

The phone on the boat was doing what it was designed to do. So was the network it spoke to. The asker simply was not who the network's design assumed the asker would be.

Editorial notes on uncertainty

The story sits in genuinely contested evidentiary space. The uncertainty is part of the case rather than something to be papered over.

The strongest piece of attribution in the public record, the link between a Sure Guernsey Global Title leased by Rayzone Group and the apparent location-finding of Hervé Jaubert's phone, rests on two industry sources cited by the Bureau of Investigative Journalism. Rayzone denies the attribution. The reconstruction is plausible rather than confirmed; the technical lesson does not depend on which specific commercial vendor was at the other end of the wire, only on the fact that the wire was reachable.

The losses associated with the May 2017 O2 Telefónica incident are reported inconsistently across outlets, and the attack is characterised qualitatively here rather than by figure. The deployment status of signalling firewalls across carriers is not publicly disclosed at carrier-by-carrier level. None of these gaps are central to the technical breakdown.

A note on Pegasus

The Pegasus spyware thread of the Latifa case is a separate surveillance vector and is not pursued here. Pegasus operates by compromising the device itself; SS7 abuse operates by querying the network the device sits in. Both appear to have been used in the Latifa story. The Pegasus angle would warrant its own treatment.