> Attempts were made to reach out to O2 via email (to both Lutz Schüler, CEO and securityincidents@virginmedia.co.uk) on the 26 and 27 March 2025 reporting this behaviour and privacy risk, but I have yet to get any response or see any change in the behaviour.
To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?
You could file an SAR with them to find out what they’re doing internally with anything with your name linked to it. Might also be preemptively contacting https://www.openrightsgroup.org/ to get the narrative on your side, in case they come knocking with the CMA.
The really interesting part of this issue is, that under most jurisdictions it probably won't even qualify as hacking. The data is sent out by the network voluntarily and during normal use.
There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.
It is, however, a data breach, triggering the requirement for them to report it to the regulator immediately or get fined, etc etc (if such rules exist in the UK)
I suppose even if O2 isn't in EU jurisdiction they could apply pressure since the example showed a Denmark customer being impacted. Maybe that telco in Denmark can't peer with O2 if O2 can't secure their EU customers data.
> You clearly aren’t familiar with how broad the Computer Misuse Act is
No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.
It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).
The wild part: this isn’t a theoretical bug. It’s implementation laziness that other UK networks already solved, as the post notes. ECI leaks have been called out since LTE rolled out—see papers like https://arxiv.org/abs/2106.05007—and automated location mapping is trivial given open mast DBs.
Also very curious how the call initiator was able to see the call control messages (ie SIP). Arent all these messages wrapped inside an encrypted GRE tunnel between handset and cell tower (and MME)? Being able to unpick GRE tunnel encryption would be a gigantic hole. Perhaps this only works because the OP is running analysis on their device, but even then I'm surprised that the pre-encryption payload is available.
Hello, article editor here. Many Android devices with Qualcomm chips offer the option to expose a modem diagnostics port over USB meaning a rooted device isn't even needed. It's just much easier to use NSG rooted on-device than going around with a laptop places.
It's as simple as using Scat (https://github.com/fgsect/scat) with the modem diag port enabled to view all signalling traffic to/from the network.
At least the free version of the app doesn't seem to "decrypt" anything, but it has root access and access to the modem, so it can read these logs. It can also disable bands and try to lock to a specific mast (like dedicated 4G/5G routers can), which is useful if you're trying to use mobile data as your main internet connection.
Many operators do configure the SIP signaling for VoLTE to use an IPsec transport terminated at the P-CSCF, but most (if not all) of them only configure IPsec to provide integrity protection.
>O2 reached out to me via email to confirm that this issue has been resolved. I have validated this information myself, and can confirm that the vulnerability does appear to be resolved.
From their statement "Our engineering teams have been working on and testing a fix for number of weeks". Can you image if a database was knowingly left unsecured for that long with data that sensitive and seemingly without telling anyone. It will be interesting to see how the ICO deal with this.
Seems to be a serious problem. It's not that hard to root a phone, install NSG, and look at this info. O2 is also the largest mobile network in the UK and they have contracts with the government...
It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.
I’m not sure how O2 are still in business - they’re the worst network by far, even Three with their diabolical backhaul situation is better. Only reason I have an O2 SIM along with my EE one is for Priority tickets/signal inside their venues
They've got a lot better if you have access to their 5G Standalone network. But it does require a new SIM card + compatible phone. It's night and day...
Readit News
This is really poor. And why is a Virgin Media address the closest best thing here? https://www.o2.co.uk/.well-known/security.txt should 200, not 404.
To be clear, I have no problem with disclosure in these circumstances given the inaction, but I'm left wondering if this is the sort of thing that NCSC would pick up under some circumstances (and may have better luck communicating with the org)?
I'll update it with a correction.
> is within LAC 0x1003 (decimal: 4009)
It should be decimal 4099.
https://www.o2.co.uk/termsandconditions/privacy-policy
When I worked there (many years ago) the security team was excellent. When I emaileld them about an issue last year, they were all gone.
Dead Comment
There are no systems at any point tricked into revealing personal data, which is often illegal, even if the hack is trivial. Even appending something like "&reveal_privat_data=true" to an URL might be considered illegal, because there is clear intent to access data you shouldn't be allowed to access. In this case none of that is done.
You clearly aren’t familiar with how broad the Computer Misuse Act is
No, I'm not familiar with it at all. But usually illegal hacking requires to access devices in a way you aren't allowed to access. As long as making the phone call itself is not an issue, it should be fine. Dumping data from the memory of your phone can't be unauthorized.
It would probably become an issue if you make unusual phone calls, harassing people with constantly calling, or calling just for the purpose of getting the location data and immediately hanging up. But just dumping the diagnostics for regular phone calls should be fine (I'm not a lawyer).
It's as simple as using Scat (https://github.com/fgsect/scat) with the modem diag port enabled to view all signalling traffic to/from the network.
At least the free version of the app doesn't seem to "decrypt" anything, but it has root access and access to the modem, so it can read these logs. It can also disable bands and try to lock to a specific mast (like dedicated 4G/5G routers can), which is useful if you're trying to use mobile data as your main internet connection.
>O2 reached out to me via email to confirm that this issue has been resolved. I have validated this information myself, and can confirm that the vulnerability does appear to be resolved.
It's disappointing that they didn't reply, but I'm not surprised. O2 seems to be a mess internally. Anything that can't be fixed by someone at a store takes ages to fix (eg: a bad number port). Their systems seem to be outdated, part of their user base still can't use VoLTE, their new 5G SA doesn't support voice and seems to over rely on n28 making it slow for many, their CTO blogs about leaving "vanity metrics behind"[0] even though they are usually the worst network for data, etc.
[0] https://news.virginmediao2.co.uk/leaving-the-vanity-metrics-...
Deleted Comment