O2 VoLTE Vulnerability Exposes Location of Any Customer With a Phone Call
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A severe privacy vulnerability in O2 UK’s Voice over LTE (VoLTE) implementation has allowed any caller to track the physical location of O2 customers without their knowledge or consent.
The flaw leaked detailed location metadata and device identifiers during normal call signaling, potentially affecting millions of customers since the service launched in March 2017.
The vulnerability was finally patched on May 19, 2025, following the public disclosure, but only after months of unsuccessful attempts to contact O2 privately.
Critical Data Exposure in O2 Network
Security Researcher, Daniel Williams, identified the issue while analyzing VoLTE call quality using Network Signal Guru (NSG) on a rooted Google Pixel 8.
During his investigation, he discovered O2’s Session Initiation Protocol (SIP) responses contained an unusual amount of information compared to other networks.
The critical flaw resided in O2’s implementation of the IP Multimedia Subsystem (IMS), specifically in the headers of SIP messages exchanged during call setup. Five particularly concerning headers were exposed:
These headers revealed both the caller’s and recipient’s International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI), along with the recipient’s cell location data.
Precision Location Tracking
The most alarming aspect was the Cellular-Network-Info header, which contained the Location Area Code (LAC) and Cell ID of the recipient’s connected tower.
Williams demonstrated that when cross-referenced with publicly available cell tower databases like cellmapper.net, this information could pinpoint a user’s location with remarkable accuracy. “In a city, this becomes an extremely accurate measure of location,” Williams explained.
“Dense urban areas will make use of many sites with small coverage areas. Each site in these areas can often cover areas as small as 100 square meters”.
The researcher even successfully tracked an O2 customer roaming internationally, locating them in central Copenhagen, Denmark.
The vulnerability affected all O2 customers using the network’s “4G Calling” service, which was introduced in 2017.
Alarmingly, disabling 4G Calling provided no protection, as the headers were still revealed even when a device was unreachable, showing the last connected cell and how long ago the connection occurred.
The implementation flaw has been attributed to O2’s Mavenir Unified Access Gateway (UAG), which was improperly configured to include debugging information in standard call signaling.
The vulnerability potentially affected O2’s 23 million mobile customers, exposing them to location tracking by anyone with their phone number and basic technical knowledge.
Williams noted his disappointment at O2’s lack of a clear vulnerability reporting channel, contrasting it with rival network EE’s well-defined disclosure policy.
This incident highlights the ongoing privacy challenges in telecommunications infrastructure and the critical importance of proper security configurations in complex systems like VoLTE implementations.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
O2 VoLTE Vulnerability Exposes Location of Any Customer With a Phone Call
Author: KaaviyaA severe privacy vulnerability in O2 UK’s Voice over LTE (VoLTE) implementation has allowed any caller to track the physical location of O2 customers without their knowledge or consent.
The flaw leaked detailed location metadata and device identifiers during normal call signaling, potentially affecting millions of customers since the service launched in March 2017.
The vulnerability was finally patched on May 19, 2025, following the public disclosure, but only after months of unsuccessful attempts to contact O2 privately.
Critical Data Exposure in O2 Network
Security Researcher, Daniel Williams, identified the issue while analyzing VoLTE call quality using Network Signal Guru (NSG) on a rooted Google Pixel 8.
During his investigation, he discovered O2’s Session Initiation Protocol (SIP) responses contained an unusual amount of information compared to other networks.
The critical flaw resided in O2’s implementation of the IP Multimedia Subsystem (IMS), specifically in the headers of SIP messages exchanged during call setup. Five particularly concerning headers were exposed:
These headers revealed both the caller’s and recipient’s International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI), along with the recipient’s cell location data.
Precision Location Tracking
The most alarming aspect was the Cellular-Network-Info header, which contained the Location Area Code (LAC) and Cell ID of the recipient’s connected tower.
Williams demonstrated that when cross-referenced with publicly available cell tower databases like cellmapper.net, this information could pinpoint a user’s location with remarkable accuracy. “In a city, this becomes an extremely accurate measure of location,” Williams explained.
“Dense urban areas will make use of many sites with small coverage areas. Each site in these areas can often cover areas as small as 100 square meters”.
The researcher even successfully tracked an O2 customer roaming internationally, locating them in central Copenhagen, Denmark.
The vulnerability affected all O2 customers using the network’s “4G Calling” service, which was introduced in 2017.
Alarmingly, disabling 4G Calling provided no protection, as the headers were still revealed even when a device was unreachable, showing the last connected cell and how long ago the connection occurred.
The implementation flaw has been attributed to O2’s Mavenir Unified Access Gateway (UAG), which was improperly configured to include debugging information in standard call signaling.
The vulnerability potentially affected O2’s 23 million mobile customers, exposing them to location tracking by anyone with their phone number and basic technical knowledge.
Williams noted his disappointment at O2’s lack of a clear vulnerability reporting channel, contrasting it with rival network EE’s well-defined disclosure policy.
This incident highlights the ongoing privacy challenges in telecommunications infrastructure and the critical importance of proper security configurations in complex systems like VoLTE implementations.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
