Williams recommended that O2 remove sensitive headers from IMS/SIP messages to enhance customer privacy and expressed disappointment in the lack of a proper escalation route for reporting vulnerabilities.

Initially, Williams did not receive a response from O2 UK after reporting the issue, but the company later confirmed that the vulnerability was addressed.

This flaw allowed user location data to be exposed through call metadata, raising serious privacy concerns for its customers.

The vulnerability was linked to the verbosity of SIP headers exchanged during calls, which included sensitive information such as IMSI, IMEI, and precise location data.

O2 acknowledged that customers could not prevent their location from being exposed, even by disabling the 4G Calling feature.

After weeks of testing, Virgin Media O2 confirmed that they had implemented a fix for the vulnerability, although specific details regarding the resolution were not disclosed.

O2 UK, a major telecommunications provider with nearly 23 million mobile customers, recently faced a significant security vulnerability in its VoLTE and WiFi Calling technologies.

Discovered by researcher Daniel Williams, the issue had persisted since March 27, 2017, and was only resolved on May 18, 2025.

Williams demonstrated that callers could track recipients' locations within 100 square meters in urban areas by exploiting data transmitted from the network.

Using the Network Signal Guru app on a Google Pixel 8, Williams was able to intercept and decode IMS signaling messages, revealing the last cell tower's location during calls.

O2 officially confirmed the fix on May 19, 2025, stating that no customer action was needed to ensure their security.

The issue was confirmed through tests, including tracking a customer in Copenhagen, highlighting a significant privacy violation for O2 users.