38.4k unique visitors in the last 3 days

Buggy IMS Implementation Caused UK Mobile Operator to Broadcast the Location of Users

Anyone with a basic understanding of networks could have tracked customers of O2 UK due to a mistake with how a Mavenir IMS had been set up.

Customers of UK comms provider Virgin Media O2 had their privacy compromised for at least several months due to the flawed implementation of an IP Multimedia Subsystem (IMS) supplied by Mavenir, per a detailed blog written by Daniel Williams that was published on Saturday. His guest blog on the Mast Database website stated that the British telco had been advised of the issue in March but only resolved it after the blog was published.

Williams was trying to measure the quality of the audio for a 4G VoLTE call but a minor technical hiccup prompted him to examine the raw signaling messages exchanged between his mobile phone and O2’s network. When Williams saw the signaling data, he soon realized that far more information was being made available to users than was necessary.

The responses I got from the network were extremely detailed and long, and were unlike anything I had seen before on other networks. The messages contained information such as the IMS/SIP server used by O2 (Mavenir UAG) along with version numbers, occasional error messages raised by the C++ services processing the call information when something went wrong, and other debugging information. However, most notable were a set of five headers near the bottom of the message…

The five SIP headers that caught Williams’ eye consisted of a pair of IMSIs, a pair of IMEIs, and a Cellular Network Info header. The IMSIs and IMEIs were for both phones involved in each call. The Cellular Network Info header included the Location Area Code (LAC) and Cell ID associated with the recipient of Williams’ calls. In other words, Williams discovered he was able to determine the location of other O2 mobile phone users by simply calling them. He even tested the method with an O2 customer who was roaming abroad to verify he could continue to track their whereabouts when overseas.

O2 customers who switched off their phones would still not be completely protected from the consequences of this bug. For phones with no active network connection, the network would report the last known location and the amount of time that had passed since the phone was connected.

Williams stated there had been no change in the information leaked by O2’s network between the date he first contacted the telco, March 26, and the date his blog was published, May 17. I find this to be the most shocking aspect of this story. Mistakes happen. Even bad mistakes happen. But what is the excuse for employees of Virgin Media O2 to be told their network is casually leaking the location of its customers to anyone with awareness of this bug, and then allow 53 days to elapse without the issue being addressed? These 53 days came after an undetermined period of time between the mistaken configuration of the IMS and Williams notifying them of the issue. We hence do not know how long bad actors may have used the flaw to track the movements of phone users.

Virgin Media O2 did finally respond on May 19 to say the issue had now been fixed. This gives the impression that their management lacks the competence to identify serious infringements of customer privacy until somebody joins the dots to imminent negative press coverage.

One basic component of cybersecurity involves giving independent researchers the channels needed to efficiently communicate vulnerabilities they have discovered to employees empowered to rapidly do something about them. Williams’ account suggests Virgin Media O2 is oblivious to the need for such a fundamental element of risk management. He noted the lack of sophistication exhibited by Virgin Media O2 compared to the easily-found vulnerability disclosure policy of rival operator BT. There is some irony in the fact that O2 was originally part of BT.

Ofcom, the UK comms regulator, recently took the admirable step of prohibiting new Global Title leases to protect the privacy of mobile phone users. The abuse of Global Title and signaling data can permit sophisticated bad actors to track the movements of mobile phone users worldwide. Virgin Media O2’s faulty IMS implementation provided a far easier way for criminals and spies to accomplish the same objective.

If there was any justice in the way telcos are treated when they spew customer data willy-nilly then the British Information Commissioner’s Office (ICO) would impose an enormous fine on Virgin Media O2. This would serve as a necessary warning that telcos must focus resources on avoiding privacy-infringing mistakes or else suffer consequences that are proportionate to the risk they have created for customers. Since the adoption of GDPR, ICO is theoretically able to fine businesses up to 4% of their global annual turnover. A lot of press coverage has been devoted to the maximum penalty for privacy infringements now permitted by law. The reality is that the data protection regulator lacks the political support needed to impose anything beyond a trivial penalty in cases like this screw-up by Virgin Media O2.

Any fine received by Virgin Media O2 is likely to be smaller than the rounding errors in their annual accounts. That means we should expect to see more data leaks of this magnitude in future, no matter how often telco marketeers say they care about safeguarding the privacy of customers.

Daniel Williams’ guest blog for Mast Database can be found here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email