A flaw in O2 UK’s implementation of VoLTE and WiFi Calling applied sciences may permit anybody to reveal the final location of an individual and different identifiers by calling the goal.
The issue was found by safety researcher Daniel Williams, who says the flaw existed on O2 UK’s community since March 27, 2017, and was resolved yesterday.
O2 UK is a British telecommunications service supplier owned by Virgin Media O2. As of March 2025, the corporate reported having almost 23 million cellular clients and 5.8 million broadband shoppers throughout the UK, positioning it as one of many main suppliers within the nation.
In March 2017, the agency launched its IP Multimedia Subsystem (IMS) service, branded as “4G Calling,” for higher audio high quality and line reliability throughout calls.
Nevertheless, as Williams found whereas analyzing the site visitors throughout such a name, the signalling messages (SIP Headers) exchanged between the speaking events are far too verbose and revealing, together with IMSI, IMEI, and cell location knowledge.
“The responses I received from the community have been extraordinarily detailed and lengthy, and have been not like something I had seen earlier than on different networks,” explains Williams.
“The messages contained info such because the IMS/SIP server utilized by O2 (Mavenir UAG) together with model numbers, occasional error messages raised by the C++ providers processing the decision info when one thing went incorrect, and different debugging info.”
Supply: mastdatabase.co.uk
Finding customers by name
Utilizing the Community Sign Guru (NSG) app on a rooted Google Pixel 8, Williams intercepted uncooked IMS signalling messages exchanged throughout a name and decoded the cell ID to seek out the final cell tower the decision recipient related to.
Then, he used public instruments that present cell tower maps to seek out the geographic coordinates of the tower.
Supply: mastdatabase.co.uk
For city areas the place tower protection is dense, the accuracy would attain 100 m2 (1076 ft2). In rural areas, geo-locating would get much less exact, however may nonetheless be revealing for the goal.
Williams discovered the trick additionally labored when the goal was overseas, as he situated a check topic in Copenhagen, Denmark.
Supply: mastdatabase.co.uk
O2 UK confirms repair
Williams says that he contacted O2 UK a number of occasions on March 26 and 27, 2025, to report his findings, receiving no solutions.
Lastly, he received direct affirmation from O2 UK earlier immediately that the problem has been fastened, and he confirmed this by way of testing.
In an announcement to BleepingComputer, a Virgin Media spokesperson confirmed {that a} repair has been applied, noting that clients should not have to take any motion to guard themselves.
“Our engineering groups have been engaged on and testing a repair for plenty of weeks – we will verify that is now absolutely applied, and assessments counsel the repair has labored, and our clients don’t have to take any motion,” Virgin Media O2 advised BleepingComputer.
BleepingComputer requested O2 whether or not this flaw was identified to be exploited and in the event that they plan to tell clients accordingly, however we didn’t obtain reply.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the right way to defend towards them.
