.png)
4 days ago
2
UK telco Virgin Media O2 has fixed an issue with its 4G Calling feature that allowed users' general location to be discerned by those who called them.
The confirmation was issued in response to a mobile networking specialist publishing research into the mobile network operator's (MNO) implementation of Voice over LTE (VoLTE), and how it was revealing call recipient data to callers, albeit through a few tricky technical steps.
Researcher Daniel Williams said he was able to "trivially" locate call recipients using the IP Multimedia Subsystem (IMS), International Mobile Equipment Identity (IMEI), and cell ID data sent back by VMO2 servers. He said theoretically, in some cases, this could be accurate to within 100 square meters.
When he published his findings on May 17, Williams said he had not yet received a response after first engaging the MNO in March.
However, a VMO2 spokesperson told The Register that the issues had since been resolved.
"Our engineering teams have been working on and testing a fix for a number of weeks – we can confirm this is now fully implemented and tests suggest the fix has worked and our customers do not need to take any action," they said.
Williams also confirmed that the company contacted him yesterday (May 19) to thank him for his work.
His research zeroed in on the network's 4G Calling feature launched in 2017 by O2 UK, before the Virgin Media merger in 2021.
4G Calling is an IMS service that works hand-in-hand with Wi-Fi calling and is aimed at giving customers ways to make calls in the absence of normal signal.
IMS services use signaling messages to transmit certain data between the network's servers and the devices that connect to them.
Williams, a networking professional, dug into the raw messages and extracted two International Mobile Subscriber Identity (IMSI) values, two IMEIs, and cell ID headers.
The task requires specialist knowledge and probably couldn't be done by, say, an average stalker. However, Williams claimed it could be carried out "trivially" by anyone "with even a basic understanding of mobile networking."
IMSI numbers are assigned by networks to identify unique users via SIM cards, while IMEI numbers are serial numbers that identify devices. Cell IDs are individual numbers assigned to each cell tower or network base station.
The IMSI and IMEI numbers returned by the server were for both the caller and recipient's devices. This meant that by calling someone on the VMO2 network, a caller could feasibly confirm the recipient was indeed on VMO2's network, what device they were using, and their IMSI number.
Decoding the cell ID header also revealed the user's location area code and cell ID – the country they are in and the tower to which their device was connected.
Williams said this information can be plugged into openly available tools such as CellMapper to deduce a general location for a call recipient.
- UK's smaller broadband operators face tough road ahead, consolidation possible
- Brit telcos ask suppliers to clean up emissions mess – politely, with no teeth
- UK's biggest mobile operator starts 3G switchoff, hopes it won't catch out April fools
- Voda-Three name post-merger top team, keep schtum on layoffs
In less populous areas, the supplied location by such tools can be fairly broad. Williams' blog illustrated one case of a possible catchment area roughly 1 kilometer in diameter in the English village of Cippenham, for example.
However, he noted that in dense, urban areas, which often have more cell sites located more closely together, this area could be as small as 100 square meters.
"In a city, this becomes an extremely accurate measure of location," he said.
"I also tested the attack with another O2 customer who was roaming abroad, and the attack worked perfectly with me being able to pinpoint them to the city center of Copenhagen, Denmark."
VMO2 declined to comment on exactly what was fixed by its engineers, reiterating only that the issue was now resolved, but in his research Williams said the MNO "must remove the highlighted headers from all IMS/SIP messages to protect the privacy and safety of customers."
Disabling 4G Calling was also not a reliable mitigation. The researcher told The Register that disabling the feature did, in some cases, stop the transmission of IMEI and cell ID headers to the caller when the phone was reachable.
However, if the recipient's phone could not be reached, the headers would still sometimes be returned, so it wasn't an ironclad remedy.
The researcher used various tools to carry out the investigation. He used a rooted Google Pixel 8 for calls, although rooting isn't necessary – the same results can be achieved on an untampered device using tools like SCAT, which supports devices from Samsung, Google, Xiaomi, and more, to view the signaling messages.
One of the main issues that facilitated the location-grabbing was the length of these signaling messages. Williams said these were far greater in length and detail than those provided by other MNOs, offering details such as call routing, call session IDs, and debug information in the event of call failures.
"I initially actually noticed a difference purely on the length of the message," he said. "It was so much longer than any other network I had seen on IMS due to the larger amount of information provided."
Williams told us that since being contacted by VMO2 on Monday, he has been unable to reproduce the issue, corroborating the MNO's claim to have resolved matters. ®
.png)
