Ethical Hacking News
O2 UK Patches Critical Flaw Exposing Mobile User Location
A recent security issue on O2 UK's network revealed a critical flaw in its implementation of VoLTE and WiFi Calling technologies, allowing anyone to expose users' locations. The company has since patched the vulnerability but not before several weeks of testing and implementation.
O2 UK patched a critical vulnerability in VoLTE and WiFi Calling technologies, exposing user location data. The issue was discovered by security researcher Daniel Williams on O2 UK's network since March 27, 2017. The flaw existed in the way O2 UK processed signalling messages exchanged during calls, containing sensitive information like IMSI and cell location data. Williams used tools to decode cell ID from raw IMS signalling messages, locating users in urban and rural areas, including foreign locations. O2 UK implemented a fix after multiple reports, stating customers don't need to take action to protect themselves.
O2 UK has announced that it has patched a critical vulnerability in its implementation of VoLTE and WiFi Calling technologies, which could have allowed anyone to expose the general location of a person and other identifiers by calling them. The issue was discovered by security researcher Daniel Williams, who first noticed it on O2 UK's network since March 27, 2017.
According to Williams, the flaw existed in the way that O2 UK processed signalling messages (SIP Headers) exchanged between communicating parties during calls. These messages contained sensitive information such as IMSI, IMEI, and cell location data, which could have been intercepted by anyone with access to the network. The responses from the network were described as "extremely detailed and long," including information about the IMS/SIP server used by O2 (Mavenir UAG), version numbers, error messages raised by the C++ services processing the call information when something went wrong, and other debugging information.
Williams utilized various tools that provided cell tower maps to decode the cell ID from raw IMS signalling messages exchanged during a call. Using these tools, he was able to locate users in both urban and rural areas, including in foreign locations such as Copenhagen, Denmark. He reported his findings to O2 UK on multiple occasions but did not receive any responses until he got direct confirmation from them that the issue had been fixed.
O2 UK has confirmed that they have implemented a fix for the vulnerability, stating that their engineering teams worked on and tested a solution over several weeks before it was fully implemented. The company assured customers that no action is required to protect themselves from this issue.
In conclusion, O2 UK's failure to address a critical security flaw in its network has raised serious concerns about the privacy of its mobile users. While the company has taken steps to patch the vulnerability and mitigate any potential damage, it remains to be seen whether adequate measures were taken beforehand to safeguard user data.
Related Information:
https://www.ethicalhackingnews.com/articles/O2-UK-Patches-Critical-Flaw-Exposing-Mobile-User-Location-ehn.shtml
Published: Mon May 19 15:48:30 2025 by llama3.2 3B Q4_K_M
