A Critical Vulnerability in O2 UK’s VoLTE and WiFi Calling: An Analytical Overview
A significant flaw in O2 UK’s implementation of Voice over LTE (VoLTE) and WiFi Calling presents a considerable cybersecurity risk by potentially exposing users’ geographical locations and identifiers through call interactions.
Discovery of the Vulnerability
The vulnerability was identified by cybersecurity researcher Daniel Williams, who reported that this flaw has persisted within O2 UK’s network since March 27, 2017, and has only recently been addressed. O2 UK, a major telecommunications provider owned by Virgin Media O2, serves approximately 23 million mobile customers and 5.8 million broadband clients across the UK, reaffirming its status as one of the country’s key service providers.
In March 2017, O2 UK introduced its IP Multimedia Subsystem (IMS) service, branded as “4G Calling,” aiming to enhance audio quality and call reliability. However, this upgrade inadvertently introduced significant security concerns.
Examination of SIP Headers Reveals Sensitive Data
Williams conducted a thorough analysis of the signaling messages exchanged during VoLTE calls. His findings indicated that the Session Initiation Protocol (SIP) headers were excessively verbose, revealing critical information such as International Mobile Subscriber Identity (IMSI), International Mobile Equipment Identity (IMEI), and cellular location data.
“The response messages from the network were incredibly detailed and extensive, differing notably from my experiences with other networks,” Williams noted. He observed that the messages included data points like the IMS/SIP server used (Mavenir UAG), version numbers, error messages from the C++ services processing the calls, and various debugging information.
Vulnerability Exploitation: Location Tracking via Call
Utilizing the Network Signal Guru (NSG) application on a rooted Google Pixel 8, Williams intercepted raw IMS signaling messages during a call and decoded the cell ID to ascertain the last cell tower connected to the call recipient. By leveraging publicly available tools that provide cell tower geolocation data, he successfully pinpointed the geographic coordinates of the tower.
In urban areas, this exploitation technique can yield an accuracy of 100 square meters (approximately 1076 square feet), while in rural regions, the precision diminishes yet remains somewhat revealing. Williams even confirmed that this methodology effectively tracked a test subject located in Copenhagen, Denmark.
O2 UK’s Acknowledgment and Response
Following his discoveries, Williams reached out to O2 UK multiple times on March 26 and 27, 2025, to report the vulnerability, but initially received no replies. Ultimately, he secured direct confirmation from O2 UK that the flaw had been rectified, which he verified through further testing.
A spokesperson from Virgin Media stated, “Our engineering teams have been diligently working on a fix over the past few weeks—we can confirm that this has now been fully implemented. Tests indicate that the fix has indeed resolved the concern, and customers do not need to take any further action."
While BleepingComputer inquired about whether the vulnerability had already been exploited and if O2 UK planned to inform affected customers, no response was provided.
Conclusion
This incident underscores the critical importance of network security, especially in telecommunications where sensitive data can be inadvertently exposed. As cybersecurity threats evolve, it is imperative for service providers to adopt stringent security measures and maintain transparent communication with their customers regarding vulnerabilities and resolutions. Keeping abreast of best practices in cybersecurity can mitigate risks and enhance consumer trust in digital communication services.
For telecom companies and consumers alike, vigilance and proactive measures in cybersecurity are essential in safeguarding personal information from emerging threats.