How Iran Uses Everyday Phone Data to Track American Troops

How Iran Uses Everyday Phone Data to Track American Troops

Your phone is a beacon. It transmits your location constantly, even when you think you turned off the tracking features. For U.S. military personnel and private contractors deployed in the Middle East, this isn't just a minor privacy headache. It is a life-or-death vulnerability that foreign adversaries are actively exploiting.

Fresh details have emerged showing how deeply Iranian cyber actors penetrated regional mobile networks. They didn't need sophisticated military-grade spyware to do it. They used the basic plumbing of the global telecommunications system and the unregulated world of digital advertising.

Data from the Mobile Surveillance Monitor research project reveals a coordinated tracking campaign. The efforts began in the high-tension buildup to the U.S. and Israeli military strikes against Iran in late February 2026. The tracking continued well into the early days of the active conflict. During this time, Middle Eastern telecom networks had to fend off a massive, quiet wave of digital surveillance requests.

This campaign target was highly specific. Hackers wanted to pin down the exact locations of U.S. troops, contractors, and intelligence staff roaming on foreign networks.


The Ancient Telecom Loophole That Exposes Your Position

To understand how this tracking works, you have to look at how mobile networks talk to each other. When you travel abroad, your phone still receives calls and text messages. This happens because your home carrier shares data with local operators in your destination country.

The system that makes this happen is called Signalling System No. 7, or SS7.

Designed in the 1970s, SS7 is the administrative backbone of global telephony. It was built during an era when only a few state-owned telecom monopolies existed, and security was based entirely on mutual trust. It has no built-in mechanism to verify who is sending a request.

Iran-linked hackers capitalized on this fundamental weakness.

[Iranian Operator] ---> sends "SS7 Ping" ---> [Gulf Network (Roaming)] ---> reveals [US Soldier's Phone Location]

Iranian mobile operators maintain active roaming agreements across the Gulf region and the wider Middle East. This gave state-linked actors the technical authority to send specialized signals, known as SS7 pings, directly to regional towers. These pings don't ring your phone. They don't leave a notification. They simply ask the local network: "Where is this specific phone right now?"

The network responds with the rough location of the device.

Gary Miller, a senior research fellow at the cybersecurity watchdog Citizen Lab, analyzed the regional telecom data. He confirmed that the pattern of pings represents a targeted effort. This was not a random dragnet. It was a focused attempt to pinpoint specific devices owned by specific individuals. Miller pointed out that Iran has the established technical capacity to secure real-time, continuous location data this way.


Exploiting the Ad Networks We All Use

The telecom backbone wasn't the only tool in the Iranian espionage toolkit. When SS7 pings failed or were blocked by regional firewalls, the tracking shifted to something even more pervasive: the digital advertising market.

Every time you open a free app, a weather forecast, or a casual mobile game, an invisible auction happens in milliseconds. Ad networks bid to show you an advertisement based on your demographics and your physical coordinates. This ecosystem generates a massive trail of digital exhaust.

US intelligence officials believe Iranian actors systematically exploited these commercial advertising databases to track military personnel.

In the semi-autonomous Kurdistan region of Iraq, hackers used commercial ad-tech data to map out exactly which phones were registering inside hotels known to house American government staff and defense contractors.

They didn't have to break into any secure military databases. They simply bought or scraped the commercial location logs that marketing agencies use every day to sell sneakers and fast food.


Warning Signs the Government Ignored for Years

This vulnerability is not a surprise. Security experts and politicians have raised alarms about SS7 and ad-tech tracking for a decade, yet very little has changed.

The U.S. Central Command, or CENTCOM, warned Congress in April 2026 that foreign adversaries were actively leveraging commercial location data to target and monitor U.S. forces in operational theaters. The threat is real, and the warnings have been explicit.

Senator Ron Wyden, a Democrat from Oregon, has repeatedly targeted both major political parties for failing to secure these networks. Wyden pointed to a historical Department of Homeland Security report that identified Iran as a primary player in abusing SS7 to target American phone subscribers.

Now, the consequences of that inaction are playing out in active war zones.

On the other side of the aisle, Representative Pat Harrigan, a North Carolina Republican on the House Armed Services Committee, has pushed for legislation to ban tech platforms and data brokers from selling the digitized footprints of military and government employees.


Why Direct Device Targeting is a Physical Threat

Some defense officials have tried to downplay the utility of this digital tracking. An anonymous U.S. official remarked that suggesting this data played a major role in directing physical attacks is a departure from reality.

That perspective is dangerously short-sighted.

While a missile strike usually relies on multiple layers of intelligence—including satellite imagery, local informants, and drone surveillance—knowing exactly which hotel rooms or bases contain active U.S. devices makes those physical assets far more effective. During the recent conflict, Iran-backed militias launched precise strikes on hotels and bases in Iraq, Bahrain, and the wider Gulf region. Having real-time confirmation that specific targets are occupied changes the calculus of an attack.

Military personnel cannot rely on the defense establishment to secure their devices. The bureaucracy moves too slowly to patch holes that have existed since the Nixon administration.


Steps to Lock Down Devices in High-Risk Zones

If you are a service member, contractor, or government employee operating in a high-risk region, you must take active control of your digital signature. Relying on default settings is a massive risk.

  • Ditch the commercial SIM card: Avoid using local Middle Eastern SIM cards or roaming on standard consumer plans. If you must use a cellular network, rely on dedicated, secure government-issued hardware with roaming disabled.
  • Utilize physical RF shielding: When you are not actively using a device, place it in a high-quality Faraday bag. This blocks all incoming and outgoing signals, stopping SS7 pings and location broadcasts cold.
  • Purge non-essential apps: Delete any app that relies on ad-supported monetization. Weather apps, free games, and basic utility apps are major vectors for the commercial ad-tech data that adversaries buy.
  • Enforce strict device isolation: Never bring personal smartphones or wearable fitness trackers into sensitive operational areas or hotels near active zones.

The global communications network is fundamentally broken when it comes to privacy. Until governments force telecom carriers to rebuild the global routing system and heavily regulate data brokers, your location will remain up for sale to the highest bidder. If that bidder happens to be a foreign adversary, the consequences are devastating.

AM

Amelia Miller

Amelia Miller has built a reputation for clear, engaging writing that transforms complex subjects into stories readers can connect with and understand.