O2 VoLTE Flaw Allows Tracking of Customers’ Locations Through Phone Calls

Significant privacy vulnerability in O2 UK’s Voice over LTE (VoLTE) implementation was recently discovered, allowing any caller to access precise location data of call recipients.

The security flaw, which exposed sensitive information through IMS (IP Multimedia Subsystem) signaling messages, has now been resolved according to O2, who contacted the researcher on May 19, 2025, to confirm the fix.

The vulnerability, discovered in March 2025, revealed that O2’s implementation of VoLTE was inadvertently exposing sensitive customer data in standard cellular communications.

When making calls using O2’s “4G Calling” service, the network transmitted detailed technical information in IMS signaling messages, including both the caller’s and recipient’s IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity) numbers, which uniquely identify SIM cards and devices respectively.

Most concerning was the inclusion of “Cellular-Network-Info” headers containing cell tower identification data.

These headers provided the recipient’s network PLMN (Public Land Mobile Network), Location Area Code (LAC), and specific Cell ID.

This technical information effectively revealed the approximate geographical location of the call recipient, with particular accuracy in urban areas where cell coverage zones are smaller.

Technical Exploitation Required Minimal Expertise

The researcher demonstrated that exploiting this vulnerability required minimal technical expertise.

Using a rooted Google Pixel 8 smartphone with Network Signal Guru (NSG) application, they were able to view raw IMS signaling messages during calls.

By cross-referencing the exposed Cell IDs with publicly available crowdsourced data from services like cellmapper.net, an attacker could pinpoint a call recipient’s location.

The vulnerability affected all O2 customers using VoLTE, even when roaming internationally, as demonstrated by the researcher successfully locating a test subject in Copenhagen, Denmark.

Importantly, customers could not protect themselves by disabling 4G Calling, as the headers were still revealed whenever a device was contacted via O2’s network.

This effectively means that every O2 device that is making a phone call on IMS (4G Calling / WiFi Calling) is receiving information that can be used to trivially geolocate the recipient of the call.

Resolution After Security Disclosure

The security researcher attempted to responsibly disclose the vulnerability to O2 in late March 2025, contacting both CEO Lutz Schüler and O2’s security incidents email address.

After receiving no initial response, they published their findings publicly, noting the lack of a clear security vulnerability reporting pathway at O2 compared to competitors like EE.

On May 19, O2 confirmed via email that they had addressed the issue, which the researcher independently verified.

The fix likely involved removing the problematic headers from all IMS/SIP messages transmitted across their network.

This incident highlights the privacy risks inherent in complex telecommunications implementations and the importance of thorough security auditing of cellular network protocols.

While the vulnerability has been resolved, it demonstrates how modern communications infrastructure can inadvertently leak private information through seemingly innocuous technical implementation details.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!