O2 VoLTE: locating any customer with a phone call

5/17/2025 at 1:20:18 PM

> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.

This is really poor. And why is a Virgin Media address the closest best thing here? https://www.o2.co.uk/.well-known/security.txt should 200, not 404.

To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?

by lol768

5/17/2025 at 11:40:50 PM

This one is actually on us. The email contacted was actually @virginmediao2.co.uk, not @virginmedia.co.uk. It's a typo in the article.

I'll update it with a correction.

by mrjeeves

5/18/2025 at 3:04:18 AM

I have spotted another error:

> is within LAC 0x1003 (decimal: 4009)

It should be decimal 4099.

by Mr_Minderbinder

5/18/2025 at 5:51:51 AM

How did you spot that?

by porridgeraisin

5/18/2025 at 6:58:55 AM

When you’ve been working with computers for long enough, the powers of 2 live in your head… and there’s no way 0x1000 is less than 4096 :)

by jaoane

5/18/2025 at 8:04:41 AM

I did the conversion in my head as I was reading.

by Mr_Minderbinder

5/18/2025 at 9:44:18 AM

Oops. Thanks.

by mrjeeves

5/18/2025 at 5:46:31 AM

There are several email addresses listed in the privacy policy (a GDPR requirement). Maybe somebody is listening there. E.g. DPO@o2.com

https://www.o2.co.uk/termsandconditions/privacy-policy

by morsch

5/18/2025 at 12:55:58 PM

You could file an SAR with them to find out what they’re doing internally with anything with your name linked to it. Might also be preemptively contacting https://www.openrightsgroup.org/ to get the narrative on your side, in case they come knocking with the CMA.

by madaxe_again

5/17/2025 at 7:24:53 PM

O2 used to have a responsible disclosure address - but they removed it a few years back.

When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.

by edent

5/17/2025 at 11:36:16 PM

We know the relevant team within O2 was actually informed, but evidently no action (or insufficient action) was taken.

by mrjeeves

5/17/2025 at 8:42:19 PM

[flagged]

by throw8388844848

5/17/2025 at 8:54:30 PM

Imagine wasting the time to create a new account just to blame diversity for this when you have no idea what happened to the team or seem to be familiar with O2's incompetent management...

by throw123xz

5/17/2025 at 9:02:17 PM

Chances are high it's just a bot. Sample prompt:

"Select one comment which would be suitable for a passive agressive an anti DEI post. Return the ID of the original comment and an answer."

by andix

5/17/2025 at 8:44:49 PM

Lol, they were probably replaced by empty space. Diversity is expensive, not having employees at all is cheap.

by andix

5/17/2025 at 8:56:44 PM

How do you even manage to always throw politics into the most random topics? Like having a ghetto blaster, which you play in the most inappropriate places.

by razemio

5/17/2025 at 9:45:17 PM

There must be a name for the rule that says if you're going to play music at an obnoxious level in public that it must be shitty music.

by dylan604

5/17/2025 at 10:24:21 PM

[flagged]

by andix

5/17/2025 at 8:37:33 PM

The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking. The data is sent out by the network voluntarily and during normal use.

There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.

by andix

5/17/2025 at 11:13:52 PM

It is, however, a data breach, triggering the requirement for them to report it to the regulator immediately or get fined, etc etc (if such rules exist in the UK)

by immibis

5/18/2025 at 1:57:46 PM

I suppose even if O2 isn't in EU jurisdiction they could apply pressure since the example showed a Denmark customer being impacted. Maybe that telco in Denmark can't peer with O2 if O2 can't secure their EU customers data.

by wyldfire

5/17/2025 at 10:27:28 PM

> The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking

You clearly aren’t familiar with how broad the Computer Misuse Act is

by 18172828286177

5/17/2025 at 10:51:05 PM

> You clearly aren’t familiar with how broad the Computer Misuse Act is

No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.

It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).

by andix

5/17/2025 at 11:07:09 PM

> Dumping data from the memory of your phone can't be unauthorized.

> just dumping the diagnostics for regular phone calls should be fine

IANAL, but computer hacking laws like the CMA in the UK and CFAA in the US are written in a manner so vague that even pressing F12 to view the source of a web page could be a violation [0]. From O2's perspective, they could argue that the OP has accessed their internal diagnostic data in an unauthorized manner. What we (technical people) think is irrelevant.

[0]: In the US, the DOJ has revised its policy to not prosecute defendants pursuing "good faith security research," which you may trust at your own risk: https://www.justice.gov/archives/opa/pr/department-justice-a...

by watusername

5/17/2025 at 11:36:57 PM

I don't have a lot of knowledge about US and UK law, but I hear a lot of bad things.

"good faith security research" is a different ballpark though. Some laws catch all unauthorized access, even if the intent is not in a bad faith (which is probably a very bad idea, but that's how it is). But it also makes sense to some point: if your neighbor has a really bad lock that can be opened just by hitting the door frame a few times, you're also not allowed to break in just to disclose their bad security.

Usually some deliberate action needs to be taken that qualifies as unauthorized access. Something like adding a malformed header to a HTTP request could be enough. Or logging in with credentials that are clearly not yours (even if it's just admin/admin). But logging the traffic of regular and authorized usage patterns shouldn't be enough.

by andix

5/18/2025 at 3:14:18 PM

Legally, using any tool that allows you to view raw cellphone traffic from your own phone is already unauthorized access (probably).

Famously, in Germany, it's illegal to be carrying a laptop on which nmap is installed. Everyone (who has a laptop and knows how to use nmap) still does it. It's one of those crimes which they get you for if they don't like you but you didn't commit any actual crime.

by immibis

5/18/2025 at 12:28:09 AM

It's tough, but when the people don't respond what do you do?

Do you just sit on the info, hoping noone else sees it and exploits it?

Or do you try and get them to fix it somehow?

by mrjeeves

5/18/2025 at 2:00:46 AM

First of all, thank you for trying to resolve this with the carrier and finally bringing it up to everyone's attention here. Perhaps public attention is what's needed to push them to address the problem.

To be honest, I personally would be scared to report such vulnerabilities with my real identity to begin with. With big tech companies, no matter how poorly their bug bounty programs are run, I still have this naive expectation that they won't shoot the messenger. At worst they could ban my accounts and maybe send threatening letters, but they probably won't ruin my life as long as I abide by the norms (agreed by technical people).

However, I do not feel the same naive optimism towards "legacy" institutions like telecoms and public services. At best it's thankless work, at worst I get sued [0] or become a scapegoat so some official could score some political points [1]. It's unfortunate - I am acutely aware that this is chilling effect at work, and our systems are collectively less secure because of it.

[0]: https://www.cnbc.com/2024/09/15/dark-web-expert-warned-us-ho... [1]: https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-...

by watusername

5/18/2025 at 12:03:09 PM

Being a customer yourself, I guess you could sue them

by prmoustache

5/18/2025 at 10:11:03 AM

The wild part: this isn’t a theoretical bug. It’s implementation laziness that other UK networks already solved, as the post notes. ECI leaks have been called out since LTE rolled out—see papers like https://arxiv.org/abs/2106.05007—and automated location mapping is trivial given open mast DBs.

by Aeyxen

5/18/2025 at 1:34:11 PM

Probably panicking and waiting to be told what to do by the security services that have been using this.

by MortyWaves

5/19/2025 at 6:49:26 AM

All of the information leaked in the headers is already readily available through lawful interception.

by kylpytakki

5/19/2025 at 10:34:28 AM

O2 has claimed that the problem is now fixed: https://www.ispreview.co.uk/index.php/2025/05/o2-uk-fixes-vo...

by daveoc64

5/19/2025 at 11:46:23 AM

The submitted post was updated this morning

>O2 reached out to me via email to confirm that this issue has been resolved. I have validated this information myself, and can confirm that the vulnerability does appear to be resolved.

by crtasm

5/19/2025 at 12:33:08 PM

From their statement "Our engineering teams have been working on and testing a fix for number of weeks". Can you image if a database was knowingly left unsecured for that long with data that sensitive and seemingly without telling anyone. It will be interesting to see how the ICO deal with this.

by ollybee

5/17/2025 at 10:02:01 PM

Also very curious how the call initiator was able to see the call control messages (ie SIP). Arent all these messages wrapped inside an encrypted GRE tunnel between handset and cell tower (and MME)? Being able to unpick GRE tunnel encryption would be a gigantic hole. Perhaps this only works because the OP is running analysis on their device, but even then I'm surprised that the pre-encryption payload is available.

by kjellsbells

5/17/2025 at 11:35:21 PM

Hello, article editor here. Many Android devices with Qualcomm chips offer the option to expose a modem diagnostics port over USB meaning a rooted device isn't even needed. It's just much easier to use NSG rooted on-device than going around with a laptop places.

It's as simple as using Scat (https://github.com/fgsect/scat) with the modem diag port enabled to view all signalling traffic to/from the network.

by mrjeeves

5/17/2025 at 11:09:08 PM

They're using a rooted Android phone and an app called Network Signal Guru: https://play.google.com/store/apps/details?id=com.qtrun.Quic...

At least the free version of the app doesn't seem to "decrypt" anything, but it has root access and access to the modem, so it can read these logs. It can also disable bands and try to lock to a specific mast (like dedicated 4G/5G routers can), which is useful if you're trying to use mobile data as your main internet connection.

by celsoazevedo

5/17/2025 at 11:14:57 PM

Right, so, that's the hacking tool they'll soon get prosecuted for using, while the problem will remain unfixed.

by immibis

5/18/2025 at 5:18:55 AM

Many operators do configure the SIP signaling for VoLTE to use an IPsec transport terminated at the P-CSCF, but most (if not all) of them only configure IPsec to provide integrity protection.

by kevvok

5/17/2025 at 10:42:29 PM

i think you meant GTP tunnel. And GTP tunnel is between enodeb and core network. it's secured only in case that it run inside IPSEC.

by tguvot

5/18/2025 at 12:13:50 PM

Doh! Yes, of course. Thank you

by kjellsbells

5/18/2025 at 12:13:25 PM

^^edit: GTP.

by kjellsbells

5/17/2025 at 8:25:12 PM

Seems to be a serious problem. It's not that hard to root a phone, install NSG, and look at this info. O2 is also the largest mobile network in the UK and they have contracts with the government...

It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.

[0] https://news.virginmediao2.co.uk/leaving-the-vanity-metrics-...

by celsoazevedo

5/18/2025 at 9:03:34 AM

I’m starting to think the reason they don’t charge for EU roaming is because they don’t have a system to do it.

by badgersnake

5/18/2025 at 10:08:26 AM

I’m not sure how O2 are still in business - they’re the worst network by far, even Three with their diabolical backhaul situation is better. Only reason I have an O2 SIM along with my EE one is for Priority tickets/signal inside their venues

by jonathantf2

5/18/2025 at 12:02:49 PM

They've got a lot better if you have access to their 5G Standalone network. But it does require a new SIM card + compatible phone. It's night and day...

by martinald

5/18/2025 at 1:38:34 PM

So giffgaff,who also use the O2 network, claim that they are unaffected as they have their own implementation of the service on top of O2s physical network. Which might be true, but I'm a bit suspicious as I know they are actually owned by the same company now,so consolidation is likely. If anyone tries replicating this on a giffgaff sim it would be good to know the result...

by ajb

5/18/2025 at 1:43:01 PM

They've been owned by Telefónica for a while. IIRC Telefónica acquired O2 in 2006, and launched Giffgaff as a new brand in 2009.

by signal11

5/18/2025 at 3:19:14 PM

I've tested this on the giffgaff network, and it does have an impact. I'm not sure how they came to a different conclusion.

by scoopyboy

5/17/2025 at 9:34:30 PM

Could you mitigate this by turning off VoLTE? I can see docs online for turning it off on an iPhone 11 - but my iPhone 15 doesn't have that option!

by cloudref

5/17/2025 at 9:59:01 PM

> Disabling 4G Calling does not prevent these headers from being revealed, and if your device is ever unreachable these internal headers will still reveal the last cell you were connected to and how long ago this was.

So it seems like that won't do anything.

by mdasen

5/18/2025 at 8:09:24 AM

One annoyance with O2 UK is that they don't support VoLTE for legacy pay-as-you-go customers, only pay-monthly. Now I'm actually kind-of glad for that.

by briansm

5/18/2025 at 9:45:25 AM

Coming second half of this year!

by mrjeeves

5/18/2025 at 1:37:27 PM

Cool, hopefully before their wide-scale 3G switch-off starting August.

by briansm

5/17/2025 at 8:04:58 PM

I don’t know anything about IMS but I assume they have to stay on the call long enough for the debug headers to be sent (like the tracing the call thing in every spy movie but real) and if that’s the case can this be mitigated by “just”* not answering calls from unknown numbers?

*yes I’m aware that means people you know who have your number could also exploit this

by edude03

5/17/2025 at 8:53:15 PM

I guess this information is already known to the network before the connection is even established. Those seem to be debugging headers, you probably need them for cases where the connection can't be established properly to debug why. If I understand the article correctly, the information is even there if the receiving phone is turned off, then you get the last known cell.

by andix

5/17/2025 at 8:14:51 PM

IMS is just SIP core + bunch of gateways + integration with base LTE infra (eNodeB, PCRF, etc) so "signaling messages" are just SIP messages. So depending on whether those compromising headers were included on things like SIP 180 Ringing messages and such it may not be enough to not answer the calls. Source: actually worked on deploying IMS at a telco (not this one)

by dilyevsky

5/18/2025 at 12:05:04 AM

The headers are included in every single downlink message after initiating a call, including the downlink SIP Invite message before 100 Trying, 180 Ringing or 183 Session Progress.

If you're quick enough (or automate this with dedicated software, like an attacker might actually do), it won't even need to ring out. It's really not good.

by mrjeeves

5/18/2025 at 5:04:37 PM

that's wild. did you also try any callees connected to a different PLMN?

by dilyevsky

5/17/2025 at 10:34:13 PM

I’m curious to see if this exists on O2 in NZ. I switched to them last week because they do free roaming in Australia, and VoLTE calls.

by ivanvanderbyl

5/18/2025 at 12:00:40 AM

I doubt it. This is likely O2 UK specific.

by mrjeeves

5/18/2025 at 12:39:18 AM

This only affects O2, not EE/VF/3, right?

by celsoazevedo

5/17/2025 at 9:09:05 PM

According to GDPR this is clearly illegal. I am pretty sure their subscriber contracts don't contain consent for sharing your location to any caller.

Now UK has left the EU so GDPR does no longer apply. But it is my understanding they have not changed any fundamental principles in whatever applies now?

by usr1106

5/17/2025 at 9:18:24 PM

I'm no expert, but I'm fairly sure that UK GDPR applies, which is effectively the same as the EU version https://ico.org.uk/for-organisations/data-protection-and-the...

by palm-tree

5/17/2025 at 11:02:53 PM

Yes, it still exists. Most (all?) EU legislation that ended had to be explicitly revoked, since the UK was fairly diligent in transposing it to national legislation.

by ajb

5/18/2025 at 6:50:32 PM

[dead]

by dsharma94

5/17/2025 at 10:04:19 PM

[flagged]

by anonymousiam

5/17/2025 at 11:13:14 PM

Using what seems to be a misconfiguration of a network feature to support the opinion that the UK has no privacy is a bit weird. Not only other networks don't seem to have the same issue, but companies and people screw up sometimes.

Also, is that Nigel Farage the same one of Brexit fame? The one who ran away when Brexit turned out to be different from what he and his party promised? That guy is going to save UK's privacy and freedom? lol.

by throw123xz

5/17/2025 at 11:58:47 PM

Lots of these incels are surprised that the UK has different free speech laws to the US and are outraged that posting incendiary things on social media (racist violence-inciting anti-migrant comments) can lead to a visit from the police, arrest, and conviction...

Their genius is thinking posting things in public is related to "privacy"...

by netsharc

5/19/2025 at 9:25:35 AM

These days you get arrested and thrown in jail just for sending death threats to politicians.

by razakel

5/18/2025 at 12:34:20 AM

From my experience with the US IC, they "encourage" industry to "leak" data to their advantage. This example stinks of exactly the same tactic.

by anonymousiam

5/18/2025 at 12:49:54 AM

Could be, but considering that you have some police/government departments/public entities using this provider, it wouldn't be wise to leak their own data to everyone in the open like this.

On a side note, it's not the first time I've read a comment like the one you left above here on HN. As someone that lives in the UK, there seems to be a disconnection between what you guys write and what I see and experience daily. You make it look like no one can say anything or that this is a war zone... Don't take this the wrong way, but I recommend checking other news sources too because your view of the UK seems to be a bit "distorted".

by celsoazevedo

5/18/2025 at 6:03:03 AM

The strategy is a bit more complex than you assume. The "accidental" leak of information in this case will now be "fixed" because a researcher discovered and disclosed it. Plausible deniability is maintained. It's unlikely that any "bad actors" were tracking police/government entities with this exploit, because if they had been, their own communications would have revealed their activity to the surveillance state, and they would have been subject to raid and arrest.

What you see and experience daily is probably not much different than your average citizen of the P.R.C. They're also happy to go about their daily lives living in a surveillance state, with lower crime rates than yours, and similar unchecked governmental powers.

by anonymousiam

5/18/2025 at 2:15:31 PM

But in the PRC it's illegal to say you don't like the government, while in the UK it's illegal to say you're going to blow up a mosque because Muslims are rats.

Yes, in every country (including the USA) (excluding North Korea because it doesn't have social media) it's possible to get arrested based on a social media post. However, that's overly reductive. Has anyone paid attention to which posts get people arrested? No, because that wouldn't make the UK look nearly as evil as the people saying this stuff want it to look.

by immibis

5/17/2025 at 11:01:25 PM

> I hope that Nigel Farage will improve things when he becomes PM

He is likely to improve things the same way Trump improves things. They have a lot of common ground.

by lostlogin

5/18/2025 at 6:11:32 AM

I modded up your comment, because it's insightful, and doesn't reveal your opinion of either Trump or Farage. People who hate them both will agree with you as well as those who love them.

by anonymousiam