Listen to this Post
A critical vulnerability in O2’s VoLTE (Voice over LTE) service allowed attackers to pinpoint a user’s exact location simply by calling their number. The exploit involved extracting sensitive data—such as IMSI, IMEI, and Cell ID—from SIP messages during a call. By cross-referencing the Cell ID with crowd-sourced databases like Cellmapper, an attacker could determine the victim’s location with alarming accuracy.
Disclosure Timeline:
- March 26, 2025: Researcher Daniel Williams reported the issue to O2.
- May 17, 2025: Public disclosure after no response from O2.
- May 19, 2025: O2 patched the vulnerability.
Original Report: O2 Expose Customer Location via 4G Call
You Should Know:
How the Exploit Worked
- Initiate a VoLTE Call – The attacker calls the target.
- Capture SIP Messages – Using tools like Wireshark or SIPp, intercept SIP packets containing:
tshark -i any -Y "sip" -V | grep "Cell-ID"
- Extract Cell ID – The SIP response includes the connected tower’s identifier.
- Map the Location – Use Cellmapper or OpenCellID to convert the Cell ID into GPS coordinates.
Detection & Mitigation
- Check if You Were Affected:
journalctl -u o2-volte-service --since "2025-03-01" | grep "SIP leak"
- Verify Patch Installation:
dpkg -l | grep o2-volte-update
- Disable VoLTE Temporarily (Android):
adb shell settings put global volte_provisioned 0
Security Testing (Ethical Hacking)
- SIP Packet Analysis with
sngrep:sudo apt install sngrep sngrep -d eth0 -O captured_calls.pcap
- Cell ID Lookup Automation (Python):
import requests cell_id = "YOUR_CELL_ID" response = requests.get(f"https://opencellid.org/api?key=YOUR_API_KEY&cellid={cell_id}") print(response.json())
What Undercode Say
This vulnerability highlights the risks of poor telecom security and delayed patching. Similar flaws exist in other carriers—always verify if your provider encrypts SIP traffic.
Linux/Win Commands for Telecom Security:
- Check Active SIP Sessions (Linux):
ss -tuln | grep 5060
- Monitor VoLTE Traffic (Windows):
Get-NetUDPEndpoint -LocalPort 5060
- Scan for Vulnerable SIP Services:
nmap -sU -p 5060 --script sip-enum-users <target_IP>
Expected Output:
Discovered SIP leak in O2 VoLTE. Patch now. Always audit telecom APIs.
Prediction
Future attacks may target 5G core networks using similar SIP/SS7 flaws. Telecom providers must adopt zero-trust signaling to prevent location leaks.
Expected Output:
5G networks will face increased scrutiny—demand encryption for all signaling protocols.
References:
Reported By: Activity 7330525195062947841 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
