- 41957 Posts
- 248 Topics
- 1862 Solutions
This, whilst incredibly technical, was very interesting...
"Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking."
"...every O2 device that is making a phone call on IMS (4G Calling / WiFi Calling) is receiving information that can be used to trivially geolocate the recipient of the call."
https://mastdatabase.co.uk/blog/2025/05/o2-expose-customer-location-call-4g/
In this instance, PAYG is more secure, as O2 does not provision 4G Calling/WiFi Calling to their customers on Pay As You Go. I do wonder if those dependent on O2's network but that do offer PAYG clients 4G Calling (like giffgaff?) are equally porous in this regard...?
- 14198 Posts
- 366 Topics
- 38 Solutions
- 10017 Posts
- 93 Topics
- 1926 Solutions
- 41957 Posts
- 248 Topics
- 1862 Solutions
Hmm. News released to ISPreview today, eh? Pretty quick turnaround from the date of the earlier post, @Oxonian @ I wonder what else they broke in their haste to patch the leak...🤔
- 97318 Posts
- 615 Topics
- 7215 Solutions
NOTE: O2 first introduced their implementation of IMS / 4G Calling all the way back in 2017.
....so 7-8 years for a fix?
Seems standard for O2!
- 41957 Posts
- 248 Topics
- 1862 Solutions
Ah yes, @jonsie - I meant the time between the two articles - had the first not been published, alongside author's exhortations to Lutz Schüler CEO of VMO2, the press release to ISPreview would probably still be forthcoming!
"Update (19th May 2025, 08:14 BST)
O2 reached out to me via email to confirm that this issue has been resolved. I have validated this information myself, and can confirm that the vulnerability does appear to be resolved."
Or someone left the debug-flag set on the production code on O2's side, so a quick fix 🙃
- 14198 Posts
- 366 Topics
- 38 Solutions
- 772 Posts
- 281 Topics
- 2 Solutions
