Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Customers of major UK telecommunications giant O2 have been having their location and other metadata leaked by the company for as many as eight years.
The flaw, which leaked a large amount of data when users made calls, was exposed by Daniel Williams, a UK security researcher.
According to Williams, the flaw first emerged on 27 March 2017 when O2 UK launched its “4G Calling” service, which offered better call quality as it prevented a device dropping to 3G during a call.
4G calling is an IP Multimedia Subsystem (IMS) product, a standard used for Voice over LTE (VoLTE) calls.
Williams discovered the flaw not long after becoming an O2 customer. Using Network Signal Guru (NSG) on his Google Pixel 8, Williams called another user through 4G Calling on a 4G VoLTE-compatible device.
Rather than discovering details about the audio quality voice codec support as intended, Williams received a lot more, describing O2’s Session Initiation Protocol (SIP) responses as incredibly detailed.
“Quite quickly I realised something was wrong. The responses I got from the network were extremely detailed and long, and were unlike anything I had seen before on other networks,” he said.
“The messages contained information such as the IMS/SIP server used by O2 (Mavenir UAG) along with version numbers, occasional error messages raised by the C++ services processing the call information when something went wrong, and other debugging information.”
The metadata that Williams received allowed him to determine what device the call recipient was using, that they were using an O2 SIM, was on the O2 network and which local area code (LAC) they were using, along with their Cell ID.
Using publicly crowdsourced data, such as cellmapper.net, Williams was able to identify the location of the call recipient.
A second test allowed him to determine the location of an O2 customer outside of the UK, pinpointing them in Copenhagen, Denmark.
For cities where mobile towers are common and coverage is dense, the accuracy of the location was within 100 square meters, while in rural areas, the location was broader.
With this information, Williams notified O2 UK to report the flaw on 26 and 27 March 2025 but received no response.
“I’m extremely disappointed as an O2 customer to see a lack of any escalation route to report this kind of potential vectors for attack,” he said.
Only after he published his report did O2 reach out and confirm that the flaw had been fixed, a claim that Williams verified.
O2’s parent company, Virgin Media, responded to BleepingComputer’s request for comment, confirming that the flaw had been patched.
“Our engineering teams have been working on and testing a fix for a number of weeks – we can confirm this is now fully implemented, and tests suggest the fix has worked, and our customers do not need to take any action,” said a Virgin Media spokesperson.
O2 is one of the largest telecommunications providers in the UK, with 5.8 million broadband and almost 23 million mobile customers across the country.
Be the first to hear the latest developments in the cyber industry.
