O2 UK has resolved a security vulnerability in its VoLTE and WiFi Calling features, which potentially exposed users’ general locations and personal identifiers. This security flaw was detected by cybersecurity expert Daniel Williams, who indicated that the issue may have been present in the network since February 2023. O2 UK, a telecommunications provider owned by Virgin Media O2, serves around 23 million mobile users and 5.8 million broadband customers across the UK.
Williams identified the vulnerability while examining call traffic, discovering that signalling messages, particularly SIP Headers, included excessive information. These messages contained not only technical data but also sensitive identifiers such as International Mobile Subscriber Identity (IMSI), International Mobile Equipment Identity (IMEI), and cell location data. “The responses I got from the network were extremely detailed and long and were unlike anything I had seen before on other networks,” Williams said.
To discover this flaw, Williams used a rooted Google Pixel 8 with the Network Signal Guru (NSG) app to capture and decode raw IMS signalling messages during calls. This enabled him to determine the last cell tower a call was connected to, presenting potential privacy risks. He mentioned that individuals with a basic understanding of mobile networking could exploit this to trace any O2 customer’s location.
Williams observed that even after disabling 4G Calling, the problematic headers remained exposed, offering no effective protection for users against such attacks. He stressed the importance for O2 to eliminate these headers from all IMS/SIP messages to protect user privacy. He further recommended disabling debug headers to reduce the risk of accidental data exposure.
Potential global implications of the vulnerability
Using publicly available tools and cell tower maps, Williams could ascertain the geographic position of these towers. In urban areas with dense tower distribution, the estimation accuracy could reach 100 square metres. Though its precision was reduced in rural areas, the information could still be significant for potential targets.
This vulnerability extended beyond the UK, as Williams demonstrated its international impact by successfully locating a test subject in Copenhagen, Denmark. This highlights the potential global implications of the vulnerability. Williams claimed that he reported his findings to O2 UK in late March. Despite an initial lack of response, O2 UK later confirmed the issue had been addressed. Williams said that he verified the resolution of the problem through further testing.
“O2 reached out to me via email to confirm that this issue has been resolved,” said Williams. “I have validated this information myself and can confirm that the vulnerability does appear to be resolved.”
Earlier this month, Virgin Media O2 entered into a merger deal with Daisy Group under which the two entities will combine their direct B2B operations to establish a major player in the UK’s business communications and IT market. The new entity, which is estimated to have annual pro forma revenues of around £1.4bn, will be consolidated by Virgin Media O2 with a stake of 70%, while Daisy Group will hold a 30% stake.
Read more: Virgin Media O2 and Daisy Group merge B2B operations in UK
