O2, a major telecommunications company operating in the United Kingdom, has been leaking user location data for at least a few months. Any attacker could obtain the user's location and other data just by initiating a call.
The now resolved critical flaw affected the telecom’s Voice over LTE (VoLTE) implementation.
Security researcher Daniel Williams discovered that O2 provides “extremely detailed and long” Session Initiation Protocol (SIP) responses to those who initiate the calls. SIP is a digital handshake for starting and managing phone calls over the Internet.
The researcher only wanted to check the audio quality and supported voice codecs for calls, so Williams analyzed O2 network responses using a rooted Google Pixel 8 phone with an app, Network Signal Guru (NSG). The researcher called another O2 customer with a 4G VoLTE-compatible device.
The SIP responses “were unlike anything I had seen before on other networks,” Williams said in a report.
They contained information on what SIP server O2 used, version numbers, and occasional call-processing error messages raised by the C++ services, but the most notable were five headers that contained user data.
Two of the numbers were leaking International Mobile Subscriber Identity (IMSI) codes for the caller and the recipient. Another two numbers contained IMEI (International Mobile Equipment Identity) codes.
The last line contained a cellular network info header, which contained the identification of the mobile network, Location Area Code (LAC), and the recipient's cell ID, which specifies the mobile tower the user is connected to.
“This is bad,” the researcher clarified.
Williams could quickly determine that the recipient had a Google Pixel 9, was currently connected to the O2 network with an O2 SIM, and the publicly crowdsourced data from tools like CellMapper could quickly cross-reference the general location of the cell tower and the user.
“In a city, this becomes an extremely accurate measure of location,” Williams noted. “Dense urban areas will make use of many sites (such as small cells, which are often fitted directly to streetlamps) with small coverage areas. Each site in these areas can often cover areas as small as 100 square meters.”
O2 even leaked information on users who were currently roaming abroad.
“The attack worked perfectly with me being able to pinpoint them to the city centre of Copenhagen, Denmark,” the researcher noted.
The attack is very easy to pull off – any device that is making a phone call is receiving information that could be used to geolocate the recipient of the call.
“I’m extremely disappointed as an O2 customer to see a lack of any escalation route to report this kind of potential vectors for attack,” the researcher concluded.
Williams attempted to reach out to O2 and disclose the vulnerability on the 26th and 27th of March, however, he did not get any response before publishing the report on May 17th. Two days later, O2 reached out to Williams and confirmed that the issue had been resolved. The researcher validated the claims and could no longer reproduce the attack.
Your email address will not be published. Required fields are markedmarked