A flaw in O2 UK’s implementation of VoLTE and WiFi Calling applied sciences may permit anybody to reveal the overall location of an individual and different identifiers by calling the goal.
The issue was found by safety researcher Daniel Williams. The flaw seemingly existed on O2 UK’s community since February 2023, and was resolved yesterday.
O2 UK is a British telecommunications service supplier owned by Virgin Media O2. As of March 2025, the corporate reported having practically 23 million cell clients and 5.8 million broadband purchasers throughout the UK, positioning it as one of many main suppliers within the nation.
In March 2017, the agency launched its IP Multimedia Subsystem (IMS) service, branded as “4G Calling,” for higher audio high quality and line reliability throughout calls.
Nevertheless, as Williams found whereas analyzing the site visitors throughout such a name, the signalling messages (SIP Headers) exchanged between the speaking events are far too verbose and revealing, together with IMSI, IMEI, and cell location knowledge.
“The responses I received from the community had been extraordinarily detailed and lengthy, and had been in contrast to something I had seen earlier than on different networks,” explains Williams.
“The messages contained info such because the IMS/SIP server utilized by O2 (Mavenir UAG) together with model numbers, occasional error messages raised by the C++ providers processing the decision info when one thing went unsuitable, and different debugging info.”
Info uncovered within the SIP Headers
Supply: mastdatabase.co.uk
Finding customers by name
Utilizing the Community Sign Guru (NSG) app on a rooted Google Pixel 8, Williams intercepted uncooked IMS signalling messages exchanged throughout a name and decoded the cell ID to search out the final cell tower the decision recipient related to.
Then, he used public instruments that present cell tower maps to search out the geographic coordinates of the tower.
Finding the cell tower
Supply: mastdatabase.co.uk
For city areas the place tower protection is dense, the accuracy would attain 100 m2 (1076 ft2). In rural areas, geo-locating would get much less exact, however may nonetheless be revealing for the goal.
Williams discovered the trick additionally labored when the goal was overseas, as he positioned a take a look at topic in Copenhagen, Denmark.
Monitoring an individual in Denmark
Supply: mastdatabase.co.uk
O2 UK confirms repair
Williams says that he contacted O2 UK a number of instances on March 26 and 27, 2025, to report his findings, receiving no solutions.
Lastly, he received direct affirmation from O2 UK earlier as we speak that the problem has been mounted, and he confirmed this by means of testing.
In a press release to BleepingComputer, a Virgin Media spokesperson confirmed {that a} repair has been applied, noting that clients don’t have to take any motion to guard themselves.
“Our engineering groups have been engaged on and testing a repair for a lot of weeks – we will verify that is now absolutely applied, and checks counsel the repair has labored, and our clients don’t have to take any motion,” Virgin Media O2 informed BleepingComputer.
BleepingComputer requested O2 whether or not this flaw was identified to be exploited and in the event that they plan to tell clients accordingly, however we didn’t obtain reply.
Replace 5/20 – Article up to date to right assertion in regards to the interval of publicity.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and defend in opposition to them.
