4G Calling (VoLTE) Flaw Exposed: Can Any O2 Customer Be Tracked with a Phone Call?
A recent discovery by UK researcher Daniel Williams has exposed a critical flaw in O2's 4G Calling (VoLTE) service, allowing anyone to locate an O2 customer's location using only a phone call. The vulnerability lies in the way IMS signaling messages are transmitted between devices and networks.
The Technology Behind 4G Calling (VoLTE)
4G Calling, also known as VoLTE (Voice over LTE), is a technology that enables voice calls to be made over a 4G/LTE mobile network instead of older 2G or 3G networks. This service transmits voice as data, allowing for high-quality voice calls with better call quality and reduced latency.
The Flaw: Leaking User Location Data
However, UK researcher Daniel Williams found that a bug in O2's 4G Calling service leaked sensitive information, including IMSI (International Mobile Subscriber Identity), IMEI (International Mobile Equipment Identity), and location data, through network responses. The researcher used a rooted Google Pixel 8 and the Network Signal Guru (NSG) app to assess audio quality during a VoLTE call to another O2 customer.
The Bug: How It Exposed User Location Data
Due to a bug in NSG affecting modern Pixel devices with Samsung modems, the app failed to display the codec used for the call. To work around this issue, the researcher manually examined the raw IMS signaling messages exchanged between the device and the network to extract the necessary information.
The Discovered Data: A Recipe for Tracking
Williams discovered unusually detailed IMS signaling messages during a call, revealing sensitive information that was typically hidden. This data included both the caller's and recipient's IMSI and IMEI numbers, as well as precise location data like the recipient's network (O2), location area code (LAC), and cell ID.
"This is bad. With all this information, we can make use of publicly crowdsourced data, collected by tools such as cellmapper.net, to cross-reference this information to work out a general location of the user," reads the analysis published by the researcher. "I also tested the attack with another O2 customer who was roaming abroad, and the attack worked perfectly with me being able to pinpoint them to the city centre of Copenhagen, Denmark."
The Implications: A Privacy Nightmare
The researcher pointed out that in dense urban areas, the flaw could let attackers pinpoint a user's location within as little as 100 square meters using small cell coverage data. This raises serious privacy concerns, as any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking.
A Call to Action: Fixing the Flaw
O2 recently addressed this issue in its 4G Calling service by removing IMS/SIP headers and disabling debug headers in messages. The researcher urges O2 to implement these fixes immediately to prevent potential privacy and data leaks. However, as of now, there is no way for an O2 customer to prevent this attack.
Disabling 4G Calling does not prevent these headers from being revealed, and if your device is ever unreachable, these internal headers will still reveal the last cell you were connected to and how long ago this was. It's a stark reminder of the importance of network security and the need for constant vigilance against emerging threats.