A significant privacy flaw in O2 UK’s Voice over LTE (VoLTE) service has been discovered, enabling callers to determine the physical locations of O2 customers without their knowledge or consent. This vulnerability, present since the service’s inception in March 2017, was only rectified on May 19, 2025, following public disclosure and prolonged unsuccessful attempts to alert O2 privately.
Discovery of the Vulnerability
Security researcher Daniel Williams identified the issue while assessing VoLTE call quality using Network Signal Guru (NSG) on a rooted Google Pixel 8. During his analysis, Williams observed that O2’s Session Initiation Protocol (SIP) responses contained an unusually extensive amount of information compared to other networks. This excessive data exposure was traced back to O2’s implementation of the IP Multimedia Subsystem (IMS), particularly within the headers of SIP messages exchanged during call setup.
Exposed Sensitive Information
Five specific SIP headers were found to be leaking critical information:
1. P-Asserted-Identity: Revealed the caller’s International Mobile Subscriber Identity (IMSI).
2. P-Called-Party-ID: Disclosed the recipient’s IMSI.
3. P-Access-Network-Info: Contained the recipient’s International Mobile Equipment Identity (IMEI).
4. P-Visited-Network-ID: Indicated the recipient’s connected network.
5. Cellular-Network-Info: Included the recipient’s cell location data, such as Location Area Code (LAC) and Cell ID.
The most concerning of these was the Cellular-Network-Info header, which provided precise details about the recipient’s connected cell tower. By cross-referencing this data with publicly available cell tower databases like cellmapper.net, an individual’s location could be pinpointed with remarkable accuracy. In densely populated urban areas, this method could localize a user to an area as small as 100 square meters.
Implications of the Flaw
The vulnerability affected all O2 customers utilizing the network’s 4G Calling service. Notably, disabling 4G Calling did not mitigate the risk, as the headers were still transmitted even when a device was unreachable, revealing the last connected cell and the duration since the last connection. This flaw was attributed to O2’s Mavenir Unified Access Gateway (UAG), which was misconfigured to include debugging information in standard call signaling.
Challenges in Disclosure and Resolution
Williams faced significant challenges in reporting the vulnerability due to O2’s lack of a clear vulnerability disclosure channel. This contrasts with competitors like EE, which have well-defined policies for such disclosures. The absence of an effective reporting mechanism delayed the resolution of the issue, potentially exposing O2’s 23 million mobile customers to location tracking by any individual with their phone number and basic technical knowledge.
Broader Context and Industry Implications
This incident underscores the critical importance of proper security configurations in complex telecommunications systems like VoLTE. It also highlights the necessity for mobile network operators to establish clear and accessible channels for vulnerability reporting to ensure timely identification and remediation of security flaws. The exposure of sensitive information such as IMSI, IMEI, and precise location data poses significant privacy risks, emphasizing the need for stringent security measures in the deployment of advanced communication technologies.
Conclusion
The O2 VoLTE vulnerability serves as a stark reminder of the potential privacy risks inherent in modern telecommunications infrastructure. It is imperative for network operators to prioritize security in their system configurations and to facilitate effective communication channels for reporting and addressing vulnerabilities. This proactive approach is essential to protect customer privacy and maintain trust in the rapidly evolving digital landscape.
