HQ/EMEAFind out how we can help your business
O2 has addressed a vulnerability in implementing VoLTE and WiFi Calling technologies that could have allowed malicious actors to determine a mobile user’s general location and other identifying details simply by placing a call.
A researcher discovered the flaw, which has persisted on the company’s network since March 27, 2017, and has since been resolved.
As one of the UK’s major telecommunications providers, O2 serves millions of mobile and broadband customers nationwide. In 2017, the company introduced an IP Multimedia Subsystem (IMS) service, branded as a feature offering improved call quality and reliability.
During an analysis of call traffic, the researcher found that the Session Initiation Protocol (SIP) headers exchanged during IMS calls were excessively detailed—these signalling messages exposed sensitive information, including the IMSI, IMEI, and cell tower location data.
According to the researcher, the network responses were unusually verbose compared to other providers. The SIP messages reportedly included the IMS/SIP server in use, software version numbers, error reports from backend systems, and internal debugging data.
To demonstrate the issue, the researcher used a diagnostic mobile application on a rooted smartphone to capture raw IMS signalling messages during a call. By decoding the cell ID in these messages, the researcher could identify the last tower used by the recipient’s device.
Using publicly available cell tower databases, the tower’s location could be mapped with varying accuracy. In urban areas with dense network coverage, location estimates could be accurate within 100 square meters.
Although less precise in rural regions, the data still had the potential to expose a user’s whereabouts.
The technique was also shown to work across international borders, with the researcher successfully determining the location of a test subject in another European country.
O2 was given a heads-up about the vulnerability a couple of months ago.
The researcher attempted to notify O2 of the issue on March 26 and 27, 2025. While initial outreach received no response, the company eventually acknowledged the vulnerability and confirmed that a fix had been implemented. The researcher later verified that the issue had been resolved through follow-up testing.
In an official statement, an O2 spokesperson confirmed that the patch had been fully deployed and that no customer action was necessary.
The spokesperson stated that their engineering teams have developed and tested a fix over the past several weeks. Hence, it is now fully deployed and functioning as expected, with no customer action required.
