O2 used to have a responsible disclosure address - but they removed it a few years back.
When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.
No comments yet
andix · 1h ago
The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking. The data is sent out by the network voluntarily and during normal use.
There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.
cloudref · 15m ago
Could you mitigate this by turning off VoLTE? I can see docs online for turning it off on an iPhone 11 - but my iPhone 15 doesn't have that option!
lol768 · 8h ago
> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.
To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?
edude03 · 1h ago
I don’t know anything about IMS but I assume they have to stay on the call long enough for the debug headers to be sent (like the tracing the call thing in every spy movie but real) and if that’s the case can this be mitigated by “just”* not answering calls from unknown numbers?
*yes I’m aware that means people you know who have your number could also exploit this
andix · 56m ago
I guess this information is already known to the network before the connection is even established. Those seem to be debugging headers, you probably need them for cases where the connection can't be established properly to debug why. If I understand the article correctly, the information is even there if the receiving phone is turned off, then you get the last known cell.
dilyevsky · 1h ago
IMS is just SIP core + bunch of gateways + integration with base LTE infra (eNodeB, PCRF, etc) so "signaling messages" are just SIP messages. So depending on whether those compromising headers were included on things like SIP 180 Ringing messages and such it may not be enough to not answer the calls. Source: actually worked on deploying IMS at a telco (not this one)
usr1106 · 40m ago
According to GDPR this is clearly illegal. I am pretty sure their subscriber contracts don't contain consent for sharing your location to any caller.
Now UK has left the EU so GDPR does no longer apply. But it is my understanding they have not changed any fundamental principles in whatever applies now?
Seems to be a serious problem. It's not that hard to root a phone, install NSG, and look at this info. O2 is also the largest mobile network in the UK and they have contracts with the government...
It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.
When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.
No comments yet
There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.
This is really poor. And why is a Virgin Media address the closest best thing here? https://www.o2.co.uk/.well-known/security.txt should 200, not 404.
To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?
*yes I’m aware that means people you know who have your number could also exploit this
Now UK has left the EU so GDPR does no longer apply. But it is my understanding they have not changed any fundamental principles in whatever applies now?
It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.
[0] https://news.virginmediao2.co.uk/leaving-the-vanity-metrics-...
No comments yet