O2 UK VoLTE implementation leaks customer location and device data via debug headers

A privacy vulnerability is reported in O2 UK's Voice over LTE (VoLTE) implementation, according to a detailed report published by a security researcher Daniel Williams. 

The vulnerability, which existed in O2's IP Multimedia Subsystem (IMS) implementation, leaked sensitive information about call recipients including their precise location, device identifiers, and subscriber information during VoLTE calls.

The security researcher found that when making a VoLTE call (referred to as "4G Calling" by O2), the network was including extensive debugging information in the IMS signaling messages, including several critical pieces of sensitive data:

• IMSI numbers: The International Mobile Subscriber Identity numbers of both the caller and the recipient were included in the messages
• IMEI numbers: The International Mobile Equipment Identity numbers of both devices were exposed
• Cell tower information: Precise cell tower identifiers that could be used to determine the recipient's physical location

The information was exposed through custom SIP (Session Initiation Protocol) headers that were unnecessarily included in messages sent to the caller's device:

P-Mav-Extension-IMSI: 23410123456789
P-Mav-Extension-IMSI: 23410987654321
P-Mav-Extension-IMEI: 350266809828927
P-Mav-Extension-IMEI: 350266806365261
Cellular-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=2341010037A60773;cell-info-age=26371

With the data contained in these headers, an attacker could:

• Geolocate call recipients: By cross-referencing cell tower information with publicly available databases like cellmapper.net, an attacker could determine a recipient's physical location with high precision, especially in urban areas where cell coverage areas can be as small as 100m²
• Identify devices: The exposed IMEI numbers could be used to determine the exact make and model of a recipient's phone
• Track subscriber information: The IMSI number could reveal the recipient's network operator and SIM card details

The researcher demonstrated this vulnerability by successfully geolocating another O2 customer who was roaming abroad in Copenhagen, Denmark.

Most concerning was that there was no way for O2 customers to protect themselves against this vulnerability. Even disabling 4G Calling did not prevent the exposure of this information, and historical location data would still be revealed if a device was unreachable.

According to an update from May 19, 2025, O2 UK has resolved this vulnerability. The researcher confirmed they received email communication from O2 and has independently verified that the issue has been fixed.

The resolution likely involved removing the problematic debugging headers from all IMS/SIP messages, which the researcher had specifically recommended as the necessary corrective action.

Discovery Timeline

• March 27, 2025: The researcher discovered the vulnerability and attempted to contact O2 UK via email, including reaching out to the CEO and security incidents email address
• No response received initially from O2 UK
• May 19, 2025: O2 UK confirmed via email that the issue had been resolved
• May 19, 2025: The researcher verified the fix was implemented

The vulnerability specifically affected O2's implementation of IMS for VoLTE, which was launched on March 27, 2017. The researcher identified that the network was using Mavenir UAG servers for IMS/SIP processing, which were configured to include extensive debugging information in signaling messages.

The Cell ID information included in the messages could be decoded to reveal:

• Network PLMN (first 5-6 digits)
• Location Area Code in hexadecimal (next 4 characters)
• Cell ID in hexadecimal (final 7 characters)
• Age of the data in seconds (when the device wasn't currently connected)

This vulnerability highlights the security risks that can arise from complex IMS implementations and underscores the importance of proper security review of mobile network configurations to prevent unnecessary data exposure.