O2 UK Fixes VoLTE Flaw that Exposed User Mobile Location Data UPDATE
Mobile operator O2 (Virgin Media) has today informed ISPreview that they’ve finally resolved a nasty security issue with their 4G based Voice-over-LTE service (VoLTE or 4G Calling), which effectively made it possible for customers of the operator’s network to have their location tracked by almost anybody with access to their mobile number.
Just for context. 4G Calling technology means that any regular calls you make or receive will stay on the 4G mobile network (signal allowing) using the internet-based IP Multimedia Subsystem (IMS) standard, rather than dropping back to 2G or 3G. But Daniel Williams, writing on the excellent Mast Database website, this weekend revealed that O2’s implementation had been leaking sensitive data.
In short, O2’s implementation of IMS appeared to be leaking too much information to end-users. This meant that those with only a little above basic knowledge of mobile networks could figure out the general (approximate) location of other users on the same network – particularly in dense urban areas with more cells present (i.e. this would be less effective in rural areas, where there’s often a lot of distance between masts).
Advertisement
The data being leaked by O2’s headers (e.g. ‘Cellular-Network-Info‘) would have allowed an attacker to identify that their target, whose number they had, was connected to the O2 network on an O2 SIM and what model of Smartphone they were using (i.e. the recipient’s IMEI code is also exposed, as is their IMSI code). But the real problem came when O2 also exposed the recipient’s location data (e.g. Location Area Code (LAC) and Cell ID).
At this point it becomes possible to use publicly available data, such as related mast information on cellmapper.net, to cross-reference the above information and thus work out a general location of the user. “I also tested the attack with another O2 customer who was roaming abroad, and the attack worked perfectly with me being able to pinpoint them to the city centre of Copenhagen, Denmark,” said Daniel.
Just to be clear, Daniel’s device is nothing special (regular Smartphone) and not doing anything odd to the network. “All it is doing is allowing me to see the information being sent to it. This effectively means that every O2 device that is making a phone call on IMS is receiving information that can be used to trivially geolocate the recipient of the call,” added Daniel.
Daniel Williams said:
“Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking.
There is also no way to prevent this attack as an O2 customer. Disabling 4G Calling does not prevent these headers from being revealed, and if your device is ever unreachable these internal headers will still reveal the last cell you were connected to and how long ago this was.
Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmediao2.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.”
This is obviously very worrying, and it’s unclear how long O2’s network has been operating in this way. Many people often expose their mobile numbers in public or have had it exposed via past data breaches, which would no doubt further amplify the concerns for users of O2’s network around this issue. But O2 today informed ISPreview that they’ve now resolved this issue.
Advertisement
A VMO2 spokesperson told ISPreview:
“Our engineering teams have been working on and testing a fix for number of weeks – we can confirm this is now fully implemented and tests suggest the fix has worked and our customers do not need to take any action.”
Hopefully Daniel will be able to confirm this shortly. Credits to the many readers who dropped us an email about this on Saturday and Sunday, particularly the first one, Julian.
UPDATE 27th May 2025
Daniel has informed ISPreview that his original statement, which stated there was “no way to prevent this attack“, appears to have been incorrect. “With further learning into the intricacies of IMS signalling, and the way in which devices send headers, I now believe that disabling both 4G Calling and WiFi Calling would have mitigated this attack,” said Dan. In any case, O2 has resolved the underlying issue.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Clarifying POP Telecom’s Approach to Unwanted Feature Charges on UK Bills
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person’s legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Interesting that VM02 have known for weeks, and just so happen to release a fix as the issue is made public
All credit to Daniel Williams for exposing this vulnerability.
But this is a frankly unbelievable lapse in security by VMo2 – potentially exposing the location of any o2 customer anywhere in the world providing both parties are connected by Volte.
Given o2 is still a firm favourite of many public officials and industry leaders the flaw could have / may have been maliciously used to identify their whereabouts.
VMO2 require suppliers to have a vulnerability disclosure policy (see https://news.virginmediao2.co.uk/wp-content/uploads/2024/01/VMO2-Security-Schedule-V5.2.pdf for details) — it’s a shame that VMO2 don’t appear to have such a policy themselves.
This is incompetency of the highest-level. Really bad.
Do we know of any bad (non-state) actors who have managed to take advantage of this flaw?
This is also the kind of thing that the National Cyber Security Centre should ideally have been on top of.
I guess the best security is to not have a mobile phone, but modern life is increasingly reliant upon them…
The best thing is to not have any IP device. Most of the security flaws are in the hardware components internal firmware that can be reached before Operating System could potentially block them.
@Name, but if you do that, then all you can use is 2G (for now), which has many other security flaws.
Surely this is a notifiable breach? Every single phone call made between O2 customers from the date this configuration was in place until it was fixed leaked identifiable personal data to the caller, whether they had the ability to process that data doesn’t seem relevant.
Agree, and a knowledgeable customer could lodge a complaint to ICO, Cc VMo2’s DPO
Seems to me that a cell address is far short of a postal address that when combined with forename/surname is Personally Identifiable Information under the GDPR. So John Smith of 14 Privet Drive, Dagenham, Essex, is PII, while John Smith, Dagenham South cell is not PII being a transient location that is neither specific nor cross referenceable against other public data.
Well since the weekend 4G calling isn’t working for me. Calls just not connecting. Have to turn airplane mode on and off.
How is possible for a company like O2 to offer their user’s location to anyone like this? Why was a blog post and some public outrage needed for this issue to be acknowledged and fixed? Why there was no communication between O2 and the person that reported this massive problem?
And most importantly… why was this happening?
I hope someone looks into this. Was the flaw used by anyone to track others or commit any crime? This is also a huge flaw, so is O2 being investigated to see if this is a breach of GDPR laws?
Pitty they wouldn’t fix the volte bug that leaves a 5 second silence at the start of calls when sa mode is switched on
The O2 and Vodafone SA roll out is a bit half arsed. It doesn’t support VoNR. Maybe that delay you experience is something related to the phone dropping to 4G/VoLTE?
That’s not a bug, it’s just how calls work when you are on a 5G core without VoNR turned on. With non-SA 5G you are still on the 4G core and so your device doesn’t need to do anything to make VoLTE calls. When you are on a 5G core without voice capabilities then your phone needs to downgrade to the 4G core to make the call hence the pause you have. Once VoNR is enabled, this will go away.
It’s remarkable that there isnt more noise about this in the media.
It’s really bad that users are so easily compromised like this.
I’ve always been troubled how much blind confidence a lot of users have in their mobile operator for keeping them safe and secure
O2 seem to be having a few security issues currently. A friend has just had their number hijacked from O2 and ported out to Vodafone by an unknown person. Twice O2 ignored all security and reset the account for someone else. The friend got a text saying here’s your 6 digit security code if you didn’t request it call us, and whilst on the phone to o2 they were getting multiple texts saying a new number has been added to your account, your password has been changed etc. Somehow without them ever having the security code. A complaint was raised to o2 who apparently sorted it all, but then a few days later it all happened again including a PAC code request, again contacted o2, told it was all sorted and the PAC was cancelled but the next day the number was still ported out and is now in the hands of who knows who. O2 aren’t really interested and as all account security and 2fa was bypassed we suspect O2 staff are involved.