Kevin Beaumont

Sigh. It's possible to remotely, physically locate any O2 mobile customer at any time over the internet with a trivial method using their mobile phone number, due to O2's poor implementation of 4G Calling which, by design, gives away the Cell ID.

https://mastdatabase.co.uk/blog/2025/05/o2-expose-customer-location-call-4g/

O2 VoLTE: locating any customer with a phone call

Privacy is dead: For multiple months, any O2 customer has had their location exposed to call initiators without their knowledge.

May 17 at 6:39pmWeb
Show threadKevin BeaumontMay 19

O2 have fixed this - I’ve just retested this, O2 no longer give out my location.

Full disclosure works. https://www.bleepingcomputer.com/news/security/o2-uk-patches-bug-leaking-mobile-user-location-from-call-metadata/

O2 UK patches bug leaking mobile user location from call metadata

A flaw in O2 UK's implementation of VoLTE and WiFi Calling technologies could allow anyone to expose the general location of a person and other identifiers by calling the target.

BleepingComputer
Show threadKevin BeaumontMay 29
The mainstream have now found out about the O2 thing https://www.ft.com/content/2fc4234a-0065-490d-8483-33feff284ff3
Virgin Media O2 network flaw allowed customer phones to be tracked

Company has reported issue to watchdogs and fixed the problem

Financial Times
Show threadKevin BeaumontMay 29
Btw if anybody tells you this wasn’t exploited in the wild, it was, by both me and the researcher.
Show threadSteveMay 29
@GossiTheDog and that's only that we know of.
Show threadChrisMay 29
@GossiTheDog GCHQ's cursing you both under their breath
Show threadVessOnSecurityMay 29
@GossiTheDog I know some might disagree, but I don't think that the researcher and you count as "wild".
Show threadNKTSecurityMay 29
@bontchev @GossiTheDog I don't know, I've read some of Gossi's tweets. Can be pretty wild!
Show threadDragonMay 29
@GossiTheDog " we have no evidence of this issue being exploited beyond the illustrative examples given by a network engineer in his blog which we reported to the Information Commissioner’s Office and Ofcom" < Well no they wouldn't as they'd have no way of knowing if someone was doing anything with the info they were just handing out since it didn't require a specific query to the network to get that info it was just being sent as part of a call.
Show threadJernej Simončič �May 29
@GossiTheDog Paywall bypass: https://archive.is/O8r2z
Show threadJonnyBMay 29
@jernej__s @GossiTheDog thank you. Articles behind paywalls are very annoying. At least imho. 😊
Show threadKennerMay 29
@GossiTheDog it is not a flaw, it's a feature
Show threadCraig StewartMay 19

@GossiTheDog as an O2 customer it pleases me that this has been fixed.

I can phone my enemies again without fear of them knowing where I am 🙈

Show threadSupport GrapheneOS 667May 19

@GossiTheDog

So much for the "5G" on O2.....🤷🤷‍♂️🤷‍♀️

Show threadChrisMay 19
@GossiTheDog how long was that then, about five years? ;)
Show threadKynxMay 20
@GossiTheDog yay! I finally found their (well hidden) Contact Us form after reading your post and demanded action. Doubt that did anything and have only seen an automated response since - but the publicity must’ve worked the shaming magic. Keep it up 🙂
Show threadGraham Sutherland / PolynomialMay 17
@GossiTheDog not to mention the IMEI and IMSI of the other user's handset and SIM.
Show threadGraham Sutherland / PolynomialMay 17
@GossiTheDog which, come to think of it, would probably be pretty useful information if you wanted to pull off a SIM-swapping attack.
Show threadIris Young (he/they/she) (PhD)May 17
@GossiTheDog oh that's very bad. That's permanently disqualifying from companies I will ever trust with my information or money for any reason.
Show threadViral ObscurityMay 17
@GossiTheDog do you know if this also applies to reseller services of the O2 network like GiffGaff etc ?
Show threadWolf90000May 18
@viralobscurity @GossiTheDog Probably does :(
Show threadPhil ArmstrongMay 18
@viralobscurity @GossiTheDog Almost certainly. Same hardware, probably (but not guaranteed to be) the same configuration for both sets of end users.
Show threadSeth G.May 17
@GossiTheDog I wonder if this applies to non-UK O2's, like Telefónica Germany GmbH.
Show threadAnneHMay 17
@GossiTheDog If you turn VOLTE off on your handset?
Show threadStoneBear May 17
@GossiTheDog What I wonder is if anybody ELSE has this bug.
Show threadw00pMay 17

@GossiTheDog
Woops.. Nice finding!
But isn't this 3G data? Like the known privacy concern with SS7 where any operator around the world can query a Home Location Register for any given number (for billing purposes). And how this is abused by private surveillance companies.

https://citizenlab.ca/2023/10/finding-you-teleco-vulnerabilities-for-location-disclosure/

Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure - The Citizen Lab

This report provides a comprehensive guide to geolocation-related threats sourced from 3G, 4G, and 5G network operators. Case studies, references, examples, and evidence are provided to give a complete and contextual understanding of mobile network-based location tracking in order to formulate policies and actions that protect civil society from current and future geolocation surveillance.

The Citizen Lab
Show threadzvhxxlMay 17
@GossiTheDog "possible to remotely, physically locate any O2 mobile customer"
Thank you for the warning. In future years it may be usefull to hide from dictators (They increase their power step by step these days) and we need to know how technology can be used to track us.
Best end our O2 subscription.
Even better: talk with friends in person, travel to them by bicycle without navigation system, and leave your phone at home, switched off.
Show threadCheapPontoonMay 17
@GossiTheDog
Wow. That would be a dealbreaker for me.
Show threadAndyMay 18
@GossiTheDog I hope other networks did this properly.
Show threadfelfaceMay 18
@GossiTheDog Does this also work for carriers that run on o2 like giffgaff? I would assume so