O2 UK Addresses Vulnerability Exposing Mobile User Location Data in Call Metadata

A vulnerability in O2 UK’s deployment of Voice over LTE (VoLTE) and WiFi Calling technologies has been identified, which could potentially disclose the general location and other identifying information of mobile users through call metadata. This issue was uncovered by security researcher Daniel Williams, and it is believed to have persisted since February 2023 until it was recently addressed.

O2 UK, a major telecommunications provider in the United Kingdom and a subsidiary of Virgin Media O2, reported nearly 23 million mobile subscribers and 5.8 million broadband users as of March 2025. The company introduced its IP Multimedia Subsystem (IMS) service, labeled “4G Calling,” in March 2017 to enhance both call audio quality and reliability.

Williams’s investigation revealed that the signaling messages exchanged between communicating devices—the SIP headers—were excessively detailed and potentially intrusive. His analysis of these messages uncovered sensitive information including International Mobile Subscriber Identity (IMSI), International Mobile Equipment Identity (IMEI), and cellular location data.

“The data returned from the network was strikingly elaborate and lengthy, differing significantly from what I encountered on other networks,” Williams commented. “The exchanges included specific details about the IMS/SIP server utilized by O2, alongside version numbers, occasional debugging messages, and other diagnostic data.”

The potential implications of this flaw are noteworthy, as anyone with access to the call metadata could utilize third-party applications, such as Network Signal Guru (NSG), to intercept IMS signaling messages during a phone call. By decoding the cell ID, Williams was able to identify the last cell tower used by the call recipient and leverage publicly accessible tools to ascertain the geographic coordinates of that tower. In urban environments, this method could yield location accuracy down to approximately 100 square meters, while in rural settings, the precision could vary, though it still poses significant risks to user privacy.

Notably, Williams was successful in replicating this method even when locating individuals abroad, having tracked a test subject in Copenhagen, Denmark.

After multiple attempts to communicate his findings to O2 UK on March 26 and 27, 2025, Williams eventually received confirmation from the company regarding the resolution of the issue. He subsequently verified the effectiveness of the remedy through further testing.

In an official statement to a technology news outlet, a representative from Virgin Media confirmed that the fix had been implemented, assuring customers that no additional action was required on their part for protection. “Our engineering teams have worked diligently over the past weeks to develop and deploy a solution. We can confirm that it has been fully implemented, and our testing indicates that it is functioning correctly,” the spokesperson stated.

Despite inquiries regarding whether this vulnerability had already been exploited and if affected customers would be informed, O2 UK did not provide any further comment.