Pierluigi Paganini
May 20, 2025
A flaw in 4G Calling (VoLTE) service of the UK telecom O2 exposed user location data through network responses due to flaws in the IMS standard implementation.
4G Calling, also known as VoLTE (Voice over LTE), is a technology that allows voice calls to be made over a 4G/LTE mobile network rather than older 2G or 3G networks.
O2’s 4G Calling service transmits voice as data, but UK researcher Daniel Williams found it leaked sensitive info, like IMSI, IMEI, and location data, in the messages.
The researcher, using a rooted Google Pixel 8 and the Network Signal Guru (NSG) app, attempted to assess audio quality during a VoLTE call to another O2 customer. However, due to a bug in NSG affecting modern Pixel devices with Samsung modems, the app failed to display the codec used for the call. To work around this issue, the researcher manually examined the raw IMS signaling messages exchanged between the device and the network to extract the necessary information.
Williams discovered unusually detailed IMS signaling messages during a call, revealing sensitive information. These messages exposed both the caller’s and recipient’s IMSI and IMEI numbers, as well as precise location data like the recipient’s network (O2), location area code (LAC), and cell ID. This data, typically hidden, was found in SIP headers and could potentially be used to identify and track individuals, raising serious privacy concerns.
“This is bad. With all this information, we can make use of publicly crowdsourced data, collected by tools such as cellmapper.net, to cross-reference this information to work out a general location of the user.” reads the analysis published by the researcher. “I also tested the attack with another O2 customer who was roaming abroad, and the attack worked perfectly with me being able to pinpoint them to the city centre of Copenhagen, Denmark.”
The researcher pointed out that in dense urban areas, the flaw could let attackers pinpoint a user’s location within as little as 100 square meters using small cell coverage data.
The researcher urges O2 to remove IMS/SIP headers and disable debug headers in messages to prevent potential privacy and data leaks.
“Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking.” concludes the report. There is also no way to prevent this attack as an O2 customer. Disabling 4G Calling does not prevent these headers from being revealed, and if your device is ever unreachable these internal headers will still reveal the last cell you were connected to and how long ago this was”
O2 recently addressed this issue in its 4G Calling service.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
