Location data bug fixed by O2

A significant security flaw within O2 UK's Voice over LTE (VoLTE) and Wi-Fi Calling services recently came to light, potentially exposing sensitive personal data and locations of its subscribers. This vulnerability, stemming from the company's "4G Calling" service introduced in 2017, allowed unauthorised access to critical network information during active calls. While the IMS (IP Multimedia Subsystem) service was designed to enhance call quality and reliability, a security researcher's investigation revealed a concerning lapse in its implementation, presenting a privacy risk for millions of users.

The core of the issue lay in the excessive and unencrypted data exposed through the network's signaling messages. Security researcher Daniel Williams, who meticulously analysed the feature, found he could extract highly sensitive information directly from the network during a call. This included the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI), unique identifiers associated with a subscriber's SIM card and device, respectively. The sheer volume and detail of these responses, according to Williams, were unprecedented compared to other networks he had examined, even revealing internal server information and debugging data.

Crucially, the vulnerability wasn't a long-standing issue since the service's inception in 2017, but rather a more recent introduction. Williams's research indicated that the flaw was introduced in February 2023, meaning that for a period, O2 UK subscribers using these enhanced calling features were unknowingly susceptible to having their data compromised. This specific timeframe highlights a more recent misconfiguration or update that inadvertently opened this security loophole, rather than a fundamental design flaw from the outset.

The most alarming aspect of this discovery was the ability to pinpoint a user's location with significant precision. By utilising a Network Signal Guru app on a Pixel 8 device, Williams was able to intercept raw IMS signaling messages during a call. These messages contained information about the last cell tower the call recipient was connected to. Cross-referencing this data with publicly available cell tower maps allowed him to narrow down a person's location to within an estimated 100 square meters in urban environments. While less precise in rural areas, the potential for location tracking remained a serious privacy concern.

The responsible disclosure process, though initially met with silence, ultimately led to a resolution. Williams made multiple attempts to contact O2 UK about his findings. While his initial outreach went unanswered, the company eventually acknowledged the issue and, importantly, confirmed that the vulnerability had been addressed. Williams independently verified the fix, ensuring that the critical flaw had indeed been patched, thereby restoring a vital layer of privacy for O2 UK's VoLTE and Wi-Fi Calling users.

This incident serves as a stark reminder of the ongoing importance of rigorous security auditing in telecommunications. Even seemingly innocuous technical details, like the verbosity of network responses, can harbor significant security risks. As mobile networks evolve and integrate new services, continuous vigilance and proactive security research are paramount to safeguard user data and maintain trust in the digital infrastructure that underpins modern communication.