Full Report
A flaw in O2 UK's implementation of VoLTE and WiFi Calling technologies could allow anyone to expose the general location of a person and other identifiers by calling the target. [...]
Analysis Summary
# Vulnerability: O2 UK Mobile Call Metadata Leakage Allowing Location Tracking
## CVE Details
- CVE ID: Not assigned in the provided text.
- CVSS Score: Not specified in the provided text.
- CWE: Not specified in the provided text.
## Affected Systems
- Products: O2 UK mobile network infrastructure (specifically components interacting with IMS/SIP signaling).
- Versions: Unspecified, but related to O2 UK's services utilizing Mavenir UAG.
- Configurations: Active voice calls transmitted over the network.
## Vulnerability Description
A flaw existed in the O2 UK mobile network's call processing infrastructure (likely related to IMS/SIP signaling) that caused sensitive metadata to be exposed, including:
1. Mobile location information derived from Cell ID during call setup.
2. Internal server details, such as the IMS/SIP server (Mavenir UAG) and its version numbers.
3. Debugging information, including error messages from C++ services processing call data.
An attacker could intercept raw IMS signaling messages during a call, decode the Cell ID, and use public mapping tools to geo-locate the target to the nearest cell tower infrastructure. This location accuracy could be as precise as $100 \text{m}^2$ in urban areas. The vulnerability was reportedly found to work even when the target was abroad (e.g., in Denmark).
## Exploitation
- Status: Not specified if exploited in the wild; researcher located the issue.
- Complexity: Medium (Requires specialized tools like Network Signal Guru on a rooted device to intercept and decode raw IMS signalling messages).
- Attack Vector: Network (Interception of signaling traffic related to calls).
## Impact
- Confidentiality: High (Exposure of real-time or recent geo-location data).
- Integrity: Low (No direct impact on data integrity, primarily informational leakage).
- Availability: Low (No direct impact on service availability).
## Remediation
### Patches
- O2 UK confirmed that engineering teams developed and implemented a fix after being notified in late March 2025.
- **Patch Status:** Fully implemented and confirmed working by testing.
### Workarounds
- Customers do not need to take any action. The fix was implemented network-side.
## Detection
- **Indicators of Compromise:** Monitoring for unauthorized interception or extraction of raw IMS/SIP signaling messages, particularly those containing server version numbers or location data associated with subscriber calls.
- **Detection Methods and Tools:** Deep Packet Inspection (DPI) on network traffic streams to identify unexpected exposure of internal server information or sensitive metadata within SIP headers.
## References
- [BleepingComputer Article on O2 UK Fix](https://www.bleepingcomputer.com/news/security/o2-uk-patches-bug-leaking-mobile-user-location-from-call-metadata/)
- [Source information regarding exposed SIP Headers](mastdatabase.co.uk)
- [Source information regarding cell tower location](mastdatabase.co.uk)