A vulnerability in 4G Calling, a Voice over LTE (VoLTE) service launched recently by UK telecom giant O2, resulted in user location information being leaked in network responses.
Based on the IP Multimedia Subsystem (IMS) standard, VoLTE allows users to make voice calls and send text messages over 4G/LTE and newer mobile networks at higher speeds compared to those offered by older 3G/2G networks.
It works by delivering the voice service as data flows, but requires that the device, firmware, and mobile network support the technology.
Looking to test the quality of O2’s newly launched 4G Calling service, UK network enthusiast Daniel Williams discovered that messages his phone received from the network contained a lot of information, including details on the user’s location.
Specifically, five headers at the bottom of the message contained the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) numbers of both the caller and the receiver, as well as cell data and the recipient’s location area code.
Essentially, Williams explains, anyone capturing this information could then leverage publicly crowdsourced data and discover the general location of a user.
While in some cases this could only return the macro cell the user was on at the time of the call, in more crowded, urban areas smaller coverage sites would be used, allowing an attacker to pinpoint the user’s location to areas often as small as 100 square meters.
“I also tested the attack with another O2 customer who was roaming abroad, and the attack worked perfectly with me being able to pinpoint them to the city center of Copenhagen, Denmark,” he says.
He also notes that his findings are based on the information his phone was receiving from the network, with no special equipment used, meaning that any device on O2’s network making a call using IMS would likely be affected.
“Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking. There is also no way to prevent this attack as an O2 customer. Disabling 4G Calling does not prevent these headers from being revealed,” he notes.
The issue impacted O2’s 4G Calling service from its launch in March until recently, when the company rolled out a fix.
“Our engineering teams have been working on and testing a fix for a number of weeks – we can confirm this is now fully implemented and tests suggest the fix has worked and our customers do not need to take any action,” O2 and Virgin Media spokespersons told SecurityWeek.
Related: LTE, 5G Vulnerabilities Could Cut Entire Cities From Cellular Connectivity
Related: Fitness App Strava Gives Away Location of Biden, Trump and other Leaders, French Newspaper Says
Related: FCC Fines Wireless Carriers for Sharing User Locations Without Consent
