O2 VoLTE: locating any customer with a phone call

341 点作者 kragniz3 天前

13 条评论

> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.This is really poor. And why is a Virgin Media address the closest best thing here? <a href="https://www.o2.co.uk/.well-known/security.txt" rel="nofollow">https://www.o2.co.uk/.well-known/security.txt</a> should 200, not 404.To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?

评论 #44017827 未加载

评论 #44019240 未加载

edent3 天前

O2 used to have a responsible disclosure address - but they removed it a few years back.When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.

评论 #44017797 未加载

评论 #44016856 未加载

andix3 天前

The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking. The data is sent out by the network voluntarily and during normal use.There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.

评论 #44017699 未加载

评论 #44017499 未加载

Aeyxen3 天前

The wild part: this isn’t a theoretical bug. It’s implementation laziness that other UK networks already solved, as the post notes. ECI leaks have been called out since LTE rolled out—see papers like <a href="https://arxiv.org/abs/2106.05007—and" rel="nofollow">https://arxiv.org/abs/2106.05007—and</a> automated location mapping is trivial given open mast DBs.

评论 #44021319 未加载

daveoc641 天前

O2 has claimed that the problem is now fixed: <a href="https://www.ispreview.co.uk/index.php/2025/05/o2-uk-fixes-volte-flaw-that-exposed-user-mobile-location-data.html" rel="nofollow">https://www.ispreview.co.uk/index.php/2025/05/o2-uk-fixes-vo...</a>

评论 #44028787 未加载

评论 #44029157 未加载

kjellsbells3 天前

Also very curious how the call initiator was able to see the call control messages (ie SIP). Arent all these messages wrapped inside an encrypted GRE tunnel between handset and cell tower (and MME)? Being able to unpick GRE tunnel encryption would be a gigantic hole. Perhaps this only works because the OP is running analysis on their device, but even then I'm surprised that the pre-encryption payload is available.

评论 #44017793 未加载

评论 #44017680 未加载

评论 #44019165 未加载

评论 #44017575 未加载

评论 #44020760 未加载

celsoazevedo3 天前

Seems to be a serious problem. It's not that hard to root a phone, install NSG, and look at this info. O2 is also the largest mobile network in the UK and they have contracts with the government...It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.[0] <a href="https://news.virginmediao2.co.uk/leaving-the-vanity-metrics-behind-and-focusing-on-what-matters-customer-experience/" rel="nofollow">https://news.virginmediao2.co.uk/leaving-the-vanity-metrics-...</a>

评论 #44019995 未加载

评论 #44016963 未加载

jonathantf23 天前

I’m not sure how O2 are still in business - they’re the worst network by far, even Three with their diabolical backhaul situation is better. Only reason I have an O2 SIM along with my EE one is for Priority tickets/signal inside their venues

评论 #44020696 未加载

ajb2 天前

So giffgaff,who also use the O2 network, claim that they are unaffected as they have their own implementation of the service on top of O2s physical network. Which might be true, but I'm a bit suspicious as I know they are actually owned by the same company now,so consolidation is likely. If anyone tries replicating this on a giffgaff sim it would be good to know the result...

评论 #44021376 未加载

评论 #44022019 未加载

cloudref3 天前

Could you mitigate this by turning off VoLTE? I can see docs online for turning it off on an iPhone 11 - but my iPhone 15 doesn't have that option!

评论 #44017311 未加载

评论 #44019792 未加载

edude033 天前

I don’t know anything about IMS but I assume they have to stay on the call long enough for the debug headers to be sent (like the tracing the call thing in every spy movie but real) and if that’s the case can this be mitigated by “just”* not answering calls from unknown numbers?*yes I’m aware that means people you know who have your number could also exploit this

评论 #44016915 未加载

评论 #44016684 未加载

ivanvanderbyl3 天前

I’m curious to see if this exists on O2 in NZ. I switched to them last week because they do free roaming in Australia, and VoLTE calls.

评论 #44017922 未加载

usr11063 天前

According to GDPR this is clearly illegal. I am pretty sure their subscriber contracts don't contain consent for sharing your location to any caller.Now UK has left the EU so GDPR does no longer apply. But it is my understanding they have not changed any fundamental principles in whatever applies now?

评论 #44017031 未加载