Iran Tracked US Military Personnel via SS7 and Commercial Data
Iran exploited mobile network vulnerabilities and commercial advertising databases to track U.S. military personnel and contractors during a Middle East conflict.
The government of Iran conducted a coordinated phone-tracking campaign targeting U.S. military personnel and contractors during a conflict that began in late February 2026. Iranian-linked actors exploited vulnerabilities in the decades-old Signaling System 7 (SS7) protocol to send pings to phones roaming on regional networks and abused commercial smartphone advertising databases to locate devices, specifically within the Kurdistan region of Iraq.
These intelligence operations coincided with Iranian missile and drone strikes on hotels housing U.S. personnel in Iraq and Bahrain, including the Manama Crowne Plaza. While some reports indicate these tracking efforts enabled strikes that caused several injuries, U.S. Central Command denied that location tracking played a significant role in the attacks. The command informed Congress in April that it has since implemented force-protection measures to mitigate the risk of commercial data exploitation.
U.S. lawmakers criticized the military for failing to secure devices, noting that personnel often used personal smartphones instead of secure government-issued phones. This created a digital exhaust that adversaries could analyze. In response, members of Congress have called for stronger digital safeguards and legislation to prevent technology companies from selling the digital footprints of government employees.