O2 used to have a responsible disclosure address - but they removed it a few years back.
When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.
mrjeeves · 7m ago
We know the relevant team within the org was informed, but no action was taken and they seemed to struggle to understand that this was even in production and not their testbed environment.
lol768 · 10h ago
> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.
To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?
mrjeeves · 2m ago
This one is actually on us. The email contacted was actually @virginmediao2.co.uk, not @virginmedia.co.uk. It's a typo in the article.
I'll update it with a correction.
andix · 3h ago
The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking. The data is sent out by the network voluntarily and during normal use.
There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.
immibis · 29m ago
It is, however, a data breach, triggering the requirement for them to report it to the regulator immediately or get fined, etc etc (if such rules exist in the UK)
18172828286177 · 1h ago
> The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking
You clearly aren’t familiar with how broad the Computer Misuse Act is
andix · 52m ago
> You clearly aren’t familiar with how broad the Computer Misuse Act is
No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.
It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).
watusername · 36m ago
> Dumping data from the memory of your phone can't be unauthorized.
> just dumping the diagnostics for regular phone calls should be fine
IANAL, but computer hacking laws like the CMA in the UK and CFAA in the US are written in a manner so vague that even pressing F12 to view the source of a web page could be a violation [0]. From O2's perspective, they could argue that the OP has accessed their internal diagnostic data in an unauthorized manner. What we (technical people) think is irrelevant.
I don't have a lot of knowledge about US and UK law, but I hear a lot of bad things.
"good faith security research" is a different ballpark though. Some laws catch all unauthorized access, even if the intent is not in a bad faith (which is probably a very bad idea, but that's how it is). But it also makes sense to some point: if your neighbor has a really bad lock that can be opened just by hitting the door frame a few times, you're also not allowed to break in just to disclose their bad security.
Usually some deliberate action needs to be taken that qualifies as unauthorized access. Something like adding a malformed header to a HTTP request could be enough. Or logging in with credentials that are clearly not yours (even if it's just admin/admin). But logging the traffic of regular and authorized usage patterns shouldn't be enough.
kjellsbells · 1h ago
Also very curious how the call initiator was able to see the call control messages (ie SIP). Arent all these messages wrapped inside an encrypted GRE tunnel between handset and cell tower (and MME)? Being able to unpick GRE tunnel encryption would be a gigantic hole. Perhaps this only works because the OP is running analysis on their device, but even then I'm surprised that the pre-encryption payload is available.
mrjeeves · 8m ago
Hello, article editor here. Many Android devices with Qualcomm chips offer the option to expose a modem diagnostics port over USB meaning a rooted device isn't even needed. It's just much easier to use NSG rooted on-device than going around with a laptop places.
It's as simple as using Scat (https://github.com/fgsect/scat) with the modem diag port enabled to view all signalling traffic to/from the network.
At least the free version of the app doesn't seem to "decrypt" anything, but it has root access and access to the modem, so it can read these logs. It can also disable bands and try to lock to a specific mast (like dedicated 4G/5G routers can), which is useful if you're trying to use mobile data as your main internet connection.
immibis · 28m ago
Right, so, that's the hacking tool they'll soon get prosecuted for using, while the problem will remain unfixed.
tguvot · 1h ago
i think you meant GTP tunnel. And GTP tunnel is between enodeb and core network. it's secured only in case that it run inside IPSEC.
cloudref · 2h ago
Could you mitigate this by turning off VoLTE? I can see docs online for turning it off on an iPhone 11 - but my iPhone 15 doesn't have that option!
mdasen · 1h ago
> Disabling 4G Calling does not prevent these headers from being revealed, and if your device is ever unreachable these internal headers will still reveal the last cell you were connected to and how long ago this was.
So it seems like that won't do anything.
ivanvanderbyl · 1h ago
I’m curious to see if this exists on O2 in NZ. I switched to them last week because they do free roaming in Australia, and VoLTE calls.
edude03 · 3h ago
I don’t know anything about IMS but I assume they have to stay on the call long enough for the debug headers to be sent (like the tracing the call thing in every spy movie but real) and if that’s the case can this be mitigated by “just”* not answering calls from unknown numbers?
*yes I’m aware that means people you know who have your number could also exploit this
andix · 2h ago
I guess this information is already known to the network before the connection is even established. Those seem to be debugging headers, you probably need them for cases where the connection can't be established properly to debug why. If I understand the article correctly, the information is even there if the receiving phone is turned off, then you get the last known cell.
dilyevsky · 3h ago
IMS is just SIP core + bunch of gateways + integration with base LTE infra (eNodeB, PCRF, etc) so "signaling messages" are just SIP messages. So depending on whether those compromising headers were included on things like SIP 180 Ringing messages and such it may not be enough to not answer the calls. Source: actually worked on deploying IMS at a telco (not this one)
usr1106 · 2h ago
According to GDPR this is clearly illegal. I am pretty sure their subscriber contracts don't contain consent for sharing your location to any caller.
Now UK has left the EU so GDPR does no longer apply. But it is my understanding they have not changed any fundamental principles in whatever applies now?
Yes, it still exists. Most (all?) EU legislation that ended had to be explicitly revoked, since the UK was fairly diligent in transposing it to national legislation.
celsoazevedo · 3h ago
Seems to be a serious problem. It's not that hard to root a phone, install NSG, and look at this info. O2 is also the largest mobile network in the UK and they have contracts with the government...
It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.
You can't be serious. Privacy in the UK? It's been gone for years. Don't complain about it though, because you might say something that will get you prosecuted. Free speech is gone too. I pity UK residents, and I hope that Nigel Farage will improve things when he becomes PM, that is if he doesn't get assassinated first.
throw123xz · 30m ago
Using what seems to be a misconfiguration of a network feature to support the opinion that the UK has no privacy is a bit weird. Not only other networks don't seem to have the same issue, but companies and people screw up sometimes.
Also, is that Nigel Farage the same one of Brexit fame? The one who ran away when Brexit turned out to be different from what he and his party promised? That guy is going to save UK's privacy and freedom? lol.
lostlogin · 42m ago
> I hope that Nigel Farage will improve things when he becomes PM
He is likely to improve things the same way Trump improves things. They have a lot of common ground.
When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.
This is really poor. And why is a Virgin Media address the closest best thing here? https://www.o2.co.uk/.well-known/security.txt should 200, not 404.
To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?
I'll update it with a correction.
There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.
You clearly aren’t familiar with how broad the Computer Misuse Act is
No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.
It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).
> just dumping the diagnostics for regular phone calls should be fine
IANAL, but computer hacking laws like the CMA in the UK and CFAA in the US are written in a manner so vague that even pressing F12 to view the source of a web page could be a violation [0]. From O2's perspective, they could argue that the OP has accessed their internal diagnostic data in an unauthorized manner. What we (technical people) think is irrelevant.
[0]: In the US, the DOJ has revised its policy to not prosecute defendants pursuing "good faith security research," which you may trust at your own risk: https://www.justice.gov/archives/opa/pr/department-justice-a...
"good faith security research" is a different ballpark though. Some laws catch all unauthorized access, even if the intent is not in a bad faith (which is probably a very bad idea, but that's how it is). But it also makes sense to some point: if your neighbor has a really bad lock that can be opened just by hitting the door frame a few times, you're also not allowed to break in just to disclose their bad security.
Usually some deliberate action needs to be taken that qualifies as unauthorized access. Something like adding a malformed header to a HTTP request could be enough. Or logging in with credentials that are clearly not yours (even if it's just admin/admin). But logging the traffic of regular and authorized usage patterns shouldn't be enough.
It's as simple as using Scat (https://github.com/fgsect/scat) with the modem diag port enabled to view all signalling traffic to/from the network.
At least the free version of the app doesn't seem to "decrypt" anything, but it has root access and access to the modem, so it can read these logs. It can also disable bands and try to lock to a specific mast (like dedicated 4G/5G routers can), which is useful if you're trying to use mobile data as your main internet connection.
So it seems like that won't do anything.
*yes I’m aware that means people you know who have your number could also exploit this
Now UK has left the EU so GDPR does no longer apply. But it is my understanding they have not changed any fundamental principles in whatever applies now?
It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.
[0] https://news.virginmediao2.co.uk/leaving-the-vanity-metrics-...
No comments yet
Also, is that Nigel Farage the same one of Brexit fame? The one who ran away when Brexit turned out to be different from what he and his party promised? That guy is going to save UK's privacy and freedom? lol.
He is likely to improve things the same way Trump improves things. They have a lot of common ground.