O2 VoLTE Flaw Reveals Customer Location via Phone Calls

A critical security vulnerability in O2 UK’s Voice over LTE (VoLTE) service, branded as “4G Calling,” has left tens of millions of customers exposed to real-time location tracking for months, according to findings published by security researcher Daniel Williams.

The flaw, now resolved, allowed any caller to accurately determine the location and device identifiers of any O2 customer simply by initiating a call, without the recipient’s knowledge or consent.

Technical Details: IMS/SIP Header Exposure

The vulnerability stemmed from O2’s implementation of the IP Multimedia Subsystem (IMS) standard, which underpins VoLTE and WiFi Calling services.

During the setup of a call, devices exchange a series of signalling messages using the Session Initiation Protocol (SIP).

Williams discovered that O2’s SIP responses were “extremely detailed and long,” revealing far more information than industry norms.

Key headers exposed in these SIP messages included:

• P-Mav-Extension-IMSI: Leaked the International Mobile Subscriber Identity (IMSI) for both the caller and recipient.
• P-Mav-Extension-IMEI: Exposed the International Mobile Equipment Identity (IMEI) of both devices.
• Cellular-Network-Info: Contained the recipient’s network code, Location Area Code (LAC), and Cell ID, as well as the age of the cell information in seconds.

A typical excerpt from a vulnerable SIP message looked like this:

textP-Mav-Extension-IMSI: 23410123456789
P-Mav-Extension-IMSI: 23410987654321
P-Mav-Extension-IMEI: 350266809828927
P-Mav-Extension-IMEI: 350266806365261
Cellular-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=2341010037A60773;cell-info-age=26371

By decoding the Cellular-Network-Info header, attackers could pinpoint the recipient’s location to a specific cell tower.

In dense urban areas, where O2 deploys small cells with coverage as narrow as 100 square meters, this allows geolocation down to a city block. Public tools like CellMapper enabled anyone to cross-reference the leaked cell IDs and map the target’s whereabouts.

Scope and Impact

The attack required no advanced hacking skills or network intrusion.

Any O2 customer with a compatible device and basic diagnostic tools, such as Network Signal Guru (NSG), could exploit the flaw.

The exposure persisted regardless of whether users disabled 4G Calling or switched to WiFi Calling; even unreachable devices revealed their last known cell and the time since they were last connected.

Williams demonstrated the attack’s effectiveness even on roaming users, successfully geolocating a target in central Copenhagen, Denmark.

Industry Response and Remediation

Despite attempts to privately disclose the issue to O2 on March 26 and 27, 2025, Williams received no response until after the vulnerability was made public.

O2 has since confirmed that a fix was implemented and tested, stating, “Our engineering teams have been working on and testing a fix for several weeks – we can confirm this is now fully implemented and tests suggest the fix has worked and our customers do not need to take any action.

Williams recommends that O2 and other providers sanitize IMS/SIP messages by removing unnecessary headers, especially those containing subscriber identifiers and cell location data, and restrict debugging information to internal network elements only.

The O2 VoLTE flaw highlights the risks of verbose protocol implementations in telecom networks.

For months, any O2 customer could be trivially located by anyone with their phone number and basic technical know-how.

While O2 has now resolved the issue, the incident underscores the importance of proactive security testing and transparent vulnerability disclosure programs in the telecommunications industry.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates