Ethical Hacking News
A recent vulnerability was discovered in O2's 4G Calling (VoLTE) service, exposing user location data through network responses. This highlights the need for telecom providers to ensure their services adhere to standard implementations and secure sensitive data transmission protocols.
O2's 4G Calling (VoLTE) service has a significant vulnerability that leaks sensitive location data. The issue was discovered by researcher Daniel Williams due to a bug in the Network Signal Guru app. SIP headers and IMSI/IMEI numbers can be extracted from VoLTE call messages, revealing precise location data. Attackers can pinpoint users' exact locations using small cell coverage data with an accuracy of just 100 square meters. O2 recently addressed the issue in its 4G Calling service, but the discovery highlights the importance of securing sensitive data transmission protocols.
A recent discovery has shed light on a significant vulnerability in the 4G Calling (VoLTE) service of UK-based telecom provider, O2. Researchers have found that due to an improper implementation of the IMS standard, sensitive location data of any O2 customer can be leaked through network responses, posing serious concerns for user privacy.
The issue was discovered by Daniel Williams, a researcher who utilized a rooted Google Pixel 8 and the Network Signal Guru (NSG) app to assess audio quality during a VoLTE call. However, due to a bug in NSG affecting modern Pixel devices with Samsung modems, the app failed to display the codec used for the call. To work around this issue, Williams manually examined the raw IMS signaling messages exchanged between the device and the network to extract necessary information.
During his investigation, Williams found that IMSI and IMEI numbers of both the caller's and recipient's phones could be extracted from SIP headers, along with precise location data like the recipient's network (O2), location area code (LAC), and cell ID. This sensitive data was revealed in messages exchanged during a VoLTE call, which raised significant privacy concerns.
"This is bad," reads an analysis published by Williams. "With all this information, we can make use of publicly crowdsourced data, collected by tools such as [cellmapper.net], to cross-reference this information and work out a general location of the user." This highlights the potential for attackers to pinpoint a user's exact location using small cell coverage data in dense urban areas, with an accuracy of just 100 square meters.
The researcher urged O2 to remove IMS/SIP headers and disable debug headers in messages to prevent potential privacy leaks. "Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking," concluded the report. There is no apparent way to prevent this attack, as disabling 4G Calling does not prevent these headers from being revealed.
O2 recently addressed this issue in its 4G Calling service, but the discovery has brought attention to the importance of adhering to standard implementations and securing sensitive data transmission protocols. The incident serves as a reminder of the potential risks associated with outdated or improperly secured communication technologies.
Related Information:
https://www.ethicalhackingnews.com/articles/VoLTE-Vulnerability-Exposes-O2-Customers-Location-Data-ehn.shtml
https://securityaffairs.com/178114/hacking/4g-calling-volte-flaw-allowed-to-locate-any-o2-customer-with-a-phone-call.html
Published: Tue May 20 15:07:27 2025 by llama3.2 3B Q4_K_M
