Original article ISPreview UK:Read More
Mobile operator O2 (Virgin Media) has today informed ISPreview that they’ve finally resolved a nasty security issue with their 4G based Voice-over-LTE service (VoLTE or 4G Calling), which effectively made it possible for customers of the operator’s network to have their location tracked by almost anybody with access to their mobile number.
Just for context. 4G Calling technology means that any regular calls you make or receive will stay on the 4G mobile network (signal allowing) using the internet-based IP Multimedia Subsystem (IMS) standard, rather than dropping back to 2G or 3G. But Daniel Williams, writing on the excellent Mast Database website, this weekend revealed that O2’s implementation had been leaking sensitive data.
In short, O2’s implementation of IMS appeared to be leaking too much information to end-users. This meant that those with only a little above basic knowledge of mobile networks could figure out the general (approximate) location of other users on the same network – particularly in dense urban areas with more cells present (i.e. this would be less effective in rural areas, where there’s often a lot of distance between masts).
The data being leaked by O2’s headers (e.g. ‘Cellular-Network-Info‘) would have allowed an attacker to identify that their target, whose number they had, was connected to the O2 network on an O2 SIM and what model of Smartphone they were using (i.e. the recipient’s IMEI code is also exposed, as is their IMSI code). But the real problem came when O2 also exposed the recipient’s location data (e.g. Location Area Code (LAC) and Cell ID).
At this point it becomes possible to use publicly available data, such as related mast information on cellmapper.net, to cross-reference the above information and thus work out a general location of the user. “I also tested the attack with another O2 customer who was roaming abroad, and the attack worked perfectly with me being able to pinpoint them to the city centre of Copenhagen, Denmark,” said Daniel.
Just to be clear, Daniel’s device is nothing special (regular Smartphone) and not doing anything odd to the network. “All it is doing is allowing me to see the information being sent to it. This effectively means that every O2 device that is making a phone call on IMS is receiving information that can be used to trivially geolocate the recipient of the call,” added Daniel.
Daniel Williams said:
“Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking.
There is also no way to prevent this attack as an O2 customer. Disabling 4G Calling does not prevent these headers from being revealed, and if your device is ever unreachable these internal headers will still reveal the last cell you were connected to and how long ago this was.
Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmediao2.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.”
This is obviously very worrying, and it’s unclear how long O2’s network has been operating in this way. Many people often expose their mobile numbers in public or have had it exposed via past data breaches, which would no doubt further amplify the concerns for users of O2’s network around this issue. But O2 today informed ISPreview that they’ve now resolved this issue.
A VMO2 spokesperson told ISPreview:
“Our engineering teams have been working on and testing a fix for number of weeks – we can confirm this is now fully implemented and tests suggest the fix has worked and our customers do not need to take any action.”
Hopefully Daniel will be able to confirm this shortly. Credits to the many readers who dropped us an email about this on Saturday and Sunday, particularly the first one, Julian.