A security researcher discovered a vulnerability in O2's VoLTE implementation that allowed anyone to determine the approximate location of an O2 customer simply by making a phone call to them. This was achieved by intercepting and manipulating the SIP INVITE message sent during call setup, specifically the "P-Asserted-Identity" header. By slightly modifying the caller ID presented to the target device, the researcher could trigger error messages that revealed location information normally used for emergency services. This information included cell tower IDs, which can be easily correlated with geographic locations. This vulnerability highlighted a lack of proper input sanitization and authorization checks within O2's VoLTE infrastructure, potentially affecting millions of customers. The issue has since been reported and patched by O2.
This blog post, titled "O2 VoLTE: locating any customer with a phone call," published on Mast Database on May 25, 2025, details a significant security vulnerability discovered within O2's Voice over LTE (VoLTE) implementation. The vulnerability, according to the author, allows malicious actors to ascertain the approximate location of any O2 customer simply by initiating a phone call, regardless of whether the call is answered. The exploit leverages the inherent design of VoLTE, which establishes a data connection prior to the call being connected. This pre-call data connection is used for call setup and management, and critically, it reveals the target's approximate location via the cell tower to which their device is connected.
The post meticulously outlines the technical process by which this location information is exposed. It describes how a specially crafted SIP INVITE message, a standard signaling protocol used in VoIP communications, can be manipulated. By modifying specific fields within this message, particularly those related to call features and supplementary services, an attacker can trigger the pre-call connection setup without the target's phone ringing, thereby remaining completely undetectable to the victim. This stealthy establishment of the data connection allows the attacker to obtain the target's location through the associated cell tower information, all without the target’s awareness or interaction.
The author emphasizes the severity of this vulnerability by explaining how easily it can be exploited. They describe the minimal technical expertise and readily available tools required to craft the malicious SIP INVITE message. This ease of exploitation, coupled with the complete lack of user interaction required, makes it a particularly dangerous security flaw, potentially exposing millions of O2 customers to covert location tracking.
The post concludes by highlighting the potential ramifications of this vulnerability, emphasizing the privacy implications for O2 customers. The author suggests that this flaw could be exploited for a variety of malicious purposes, including stalking, harassment, and targeted advertising. Furthermore, the post underscores the broader security concerns related to VoLTE technology and urges telecom providers to thoroughly examine their implementations to mitigate similar vulnerabilities. The author stresses the importance of responsible disclosure and indicates they have notified O2 of the vulnerability, allowing them time to address the issue before publicly disclosing the details.
Summary of Comments ( 41 )
https://news.ycombinator.com/item?id=44014046
Hacker News users discuss the feasibility and implications of the claimed O2 VoLTE vulnerability. Some express skepticism about the ease with which an attacker could exploit this, pointing out the need for specialized equipment and the potential for detection. Others debate the actual impact, questioning whether coarse location data (accurate to a cell tower) is truly a privacy violation given its availability through other means. Several commenters highlight the responsibility of mobile network operators to address such security flaws and emphasize the importance of ongoing security research and public disclosure. The discussion also touches upon the trade-offs between functionality (like VoLTE) and security, as well as the potential legal ramifications for O2. A few users mention similar vulnerabilities in other networks, suggesting this isn't an isolated incident.
The Hacker News post "O2 VoLTE: locating any customer with a phone call" has generated several comments discussing the technical aspects and implications of the described vulnerability.
Several commenters point out that this issue is not unique to O2 and is a broader concern with VoLTE technology. One commenter notes that this type of vulnerability has been known for a long time within the 3GPP (the standards organization for mobile telecommunications) and that there are existing countermeasures operators should be using. They also mention that SS7 vulnerabilities (Signalling System No. 7, an older signaling protocol) offered similar attack vectors, implying this is a recurring issue in the telecommunications industry.
Another commenter emphasizes the inherent trade-off between location accuracy and privacy in VoLTE. They explain that the higher accuracy required for emergency services and other location-based services comes at the expense of increased susceptibility to this type of tracking. This suggests the challenge lies in finding an acceptable balance between utility and security.
The discussion also delves into the technical details of the vulnerability. One commenter explains that the location information leakage occurs during the call setup phase, as the network needs the caller's location to route the call efficiently. Another adds that this vulnerability stems from the fact that the location request isn't cryptographically protected, making it easy to intercept.
A few commenters discuss potential mitigations, like encrypting the location request or using privacy-preserving location techniques. One commenter specifically mentions obfuscating the location data, suggesting adding noise to the location coordinates to make the precise location harder to determine while still allowing for approximate location information to be used for legitimate purposes.
The overall sentiment in the comments seems to be one of concern, but not surprise. The vulnerability appears to be a known issue within the telecommunications industry, and the challenge lies in implementing and enforcing appropriate security measures. The commenters generally agree that the current situation represents an unacceptable trade-off between privacy and functionality, and they call for stronger security measures to be adopted by mobile operators.