Virgin Media O2 mobile users' locations exposed for two years in security flaw
Before the fix was implemented on 18 May, anyone with a Virgin Media O2 sim card could use their phone to obtain sensitive information about the network's other customers using a 4G-enabled device, including their location to the nearest mobile mast.
The flaw has now been patched and reported to the UK's communications and data protection regulators. Virgin Media O2 said there was no evidence that its network security systems had been externally breached.
The locations of customers could be tracked most precisely in urban areas, where mobile masts cover areas as small as 100 square metres.
Dan Williams, an IT specialist who discovered the defect, wrote that he was 'extremely disappointed' not to receive a response when he flagged the issue, which was resolved only after he blogged about it two months later, on 17 May. He said there had been no explanation for the delay.
He wrote: 'I don't want to be the enemy, I simply want to feel comfortable using my phone.'
Williams noticed Virgin Media O2's failure to configure its 4G calling software correctly when he was looking at messaging between his device and the network to work out call quality between himself and another O2 customer.
'I noticed that the responses from the network were extremely long, and upon inspection noticed that extra information from the recipient of the call was sent to the call initiator,' he told the Guardian.
This included normally private information, such as the cell ID, which is the current cell tower a caller is connected to; information about sim card, which could be used for a cyber-attack; and the phone model, which can be used to work out how to access it.
He believed that it was 'possible this was used in the wild and not reported against' though there was no way to quantify that. If it had been that would be 'quite a large problem', as 'there are situations where this data is extremely, extremely sensitive', for example domestic abuse survivors or government workers, he added.
'I came across it by accident. Someone purposefully trying to find these kinds of vulnerabilities would have probably come across it,' he said. 'There are white papers detailing this exact scenario and warning networks against doing this.'
The FT, which first reported Williams's findings, said he had tested the problem with another O2 customer, successfully tracking them to Copenhagen, Denmark.
Disabling the 4G calling feature on devices would have prevented them from being tracked, though this is not possible on some handsets, such as iPhones. The issue may have also affected some customers of Giffgaff and Tesco Mobile, which use Virgin Media O2's network.
Sign up to Business Today
Get set for the working day – we'll point you to all the business news and analysis you need every morning
after newsletter promotion
Alan Woodward, cybersecurity professor at Surrey University, said location data 'could be valuable for scams such as social engineering, or even blackmail' and for phishing attempts referencing a recent location, though they would need other information about the person for this to work.
He said this was unlikely to happen for normal people who were not criminal targets, but nevertheless fixing the vulnerability should have been a 'matter of urgency'.
A Virgin Media O2 spokesperson said: 'Our engineering teams had been working on and testing a fix for this configuration issue over a number of weeks, and we can confirm this fix was fully implemented on 18 May.
'Our customers do not need to take any action, and we have no evidence of this issue being exploited beyond the two illustrative examples given by a network engineer in his blog which we reported to the ICO [Information Commissioner's Office] and Ofcom. There has been no external compromise of our network security at any time.'
An Ofcom spokesperson said it was 'aware that O2 has experienced a network security issue', and is in contact with the provider to establish the scale and cause of the problem.
An ICO spokesperson said that after assessing the information provided by Telefonica and remedial steps taken, 'we will not be taking further action at this stage'.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Reuters
6 minutes ago
- Reuters
Palestine Action's co-founder wins bid to challenge UK terror group ban
LONDON, July 30 (Reuters) - The co-founder of a pro-Palestinian campaign group on Wednesday won her bid to bring a legal challenge against the British government's decision to ban the group under anti-terrorism laws. Huda Ammori, who helped found Palestine Action in 2020, asked London's High Court to give the go-ahead for a full challenge to the group's proscription, which was made on the grounds it committed or participated in acts of terrorism. Earlier this month, the High Court refused Ammori's application to pause the ban and, following an unsuccessful last-ditch appeal, Palestine Action's proscription came into effect just after midnight on July 5. Proscription makes it a crime to be a member of the group, carrying a maximum sentence of 14 years in prison. Judge Martin Chamberlain granted permission for Ammori to bring a judicial review, saying her case that proscription amounted to a disproportionate interference with her and others' right to freedom of expression was "reasonably arguable".
Daily Mail
6 minutes ago
- Daily Mail
No-nonsense anti-woke police chief's latest action smashes gangs receiving drugs by mail order to sell on streets
Gangs receiving drugs by mail order to sell in crime-blighted communities faced the full force of the law today - as part of a no-nonsense chief constable's latest crackdown. A series of raids were carried out by Greater Manchester Police, whose boss spoke to the Daily Mail pledging a war on woke and to uphold basic standards of law and order. Officers smashed down doors at residential addresses in the early hours of the morning and led suspects from their beds. They also searched a serving prisoner's cell as part of their efforts to crack down on the trade. The action took place as part of Operation Vulcan, Greater Manchester's ongoing campaign against organised criminal gangs spearheaded by the force's no-nonsense boss Stephen Watson. This time, attention was focused on the Derker area of Oldham, where gangs have been selling cannabis in the community which they received by mail order. Warrants were 'executed' at five homes, as well as the cell search at Oakwood prison, Staffordshire, leading to the arrests of four men and two women, who were taken in for questioning. Supt Jen Kelly, of Greater Manchester Police, in charge of the action involving 30-40 officers who started the raids at 5am, said: 'We were responding to intelligence about quite significant amounts of cannabis being imported to sell in the area over a period of time. 'The warrants were executed at residential addresses which we believe were being used for the delivery of parcels. We found some quantities of drugs, cash and other items which will support our investigation, such as phones.' Weapons were also discovered, including a crossbow and machete. Today's arrests were of four men aged between 18 and 32 and a woman, 26, on suspicion of being concerned in the supply and importation of controlled drugs, and a second woman, also aged 26, on suspicion of assisting an offender. They add to the 122 arrests already made by the Vulcan team since they began their work in Derker in March. Previous successes in the area have included the discovery of £20,000 of cannabis after the arrest of a 17-year-old boy on a motorbike who failed to stop when requested by a police patrol. Supt Kelly, who was at one of the addresses where officers entered this morning by smashing down a glazed door, said the team also worked with HM Prison Service to search the cell at Oakwood as they believed a serving prisoner was also part of the conspiracy. She said police became aware of the apparent drugs mail order supply ring via a separate police initiative, Operation Concept, which involved 'working with other agencies to intercept parcels'. The raids come after a large quantity of other evidence was gathered against suspects in recent weeks and months. The officer said: 'People might expect an investigation into cannabis supply to involve large cannabis farms in communities but criminals use innovative methods all the time.' She added: 'There's a misconception that cannabis is low-level but it does have a serious impact on communities in terms of the organised crime behind it, which brings fear and intimidation. The harm associated with it is really significant.' Supt Kelly said the Operation Vulcan team chose Derker because the area has recently become 'synonymous with violent crime' and required urgent action. Shootings, robberies, and general anti-social behaviour such as gang members riding around illegally on electric scooters had become commonplace. 'It was becoming too big a problem for local policing to tackle,' she added. Supt Kelly said the team plan to remain in the area for the coming weeks. 'We're committed to action in Derker to see sustainable change. We're focused on targeted activity on a weekly basis and a major focus of our efforts will also be community engagement,' she said. By the end of last year, Derker had become a by-word for everything wrong with Greater Manchester: gangs acting with impunity, 10-year-old children peddling drugs in exchange for nicotine vapes, families afraid to go about their lives. And, perhaps worst of all, the area had become notorious for the horrific practice of 'cuckooing,' in which criminals take over the homes of vulnerable people – such as the elderly or unwell – and use them for stashing and dealing drugs. Quite simply, something had to change. Greater Manchester Police's no-nonsense Chief Constable Stephen Watson, who has mounted initiatives targeting drug dealers, counterfeiters and organised crime gangs blighting city Operation Vulcan has previously targeted gangs responsible for counterfeit goods sold in Manchester's Cheetham Hill district, and drug dealers around the notorious Piccadilly Gardens area of the city centre. The effort against counterfeiters, which started in 2023, saw more than £143m of bogus goods seized from Cheetham Hill, known as the UK's counterfeit capital, 227 arrests and a 50% reduction in violent crime. In April, the Mail met the mastermind behind Operation Vulcan: Chief Constable Stephen Watson, whose anti-woke, no-nonsense approach to policing has revolutionised Greater Manchester Police (GMP) since he took over in May 2021. Watson's approach has included making sure his force ensures every crime report is dealt with to the highest standard. On the ground, Watson has added an extra 690 neighbourhood coppers and made sure every crime is investigated to the highest standards. 'We're not going to turn out the murder squad just because you've had your fence kicked in,' he explained. 'But we can't be too busy not to bother with that sort of stuff.' Since Watson took over, GMP has increased stop and search by an astonishing 392 per cent. And what's more, according to the chief, 30 per cent of those searches end in an arrest. However, above all, it is the change in attitudes that Watson is most proud of. 'There used to be this attitude of, 'these are the things we haven't got, and therefore these are the things we can't do,' he revealed as we drove through the streets of Oldham. 'Now, our approach is, 'This is what we have got. This is what we are going to do. And we're going to do it brilliantly. We're going to do it now. We're going to do it in a way that makes an impact'.' Such a no-nonsense approach to policing has turned an unwitting Watson into something of a poster boy for anti-woke causes. Characteristically, however, it isn't something he's paid much attention to. He said: 'If suggesting that taking the knee in the middle of a rally is a bad idea makes me anti-woke, then I'm anti-woke.'
The Independent
8 minutes ago
- The Independent
Family of alleged murder victim pay tribute to ‘beautiful soul' as man charged
The family of a woman who was found dead in a house in West Yorkshire have paid tribute to a 'gorgeous daughter and sister' as the man accused of murdering her appeared in court for the first time. Courtney Angus, 21, was discovered at an address in Norfolk Street in Batley on Saturday. Officers were called to reports of an armed robbery at Asda in nearby Dewsbury at 9.20pm. They arrested a man, who told officers about a woman who he believed to be dead inside a house on Norfolk Street. A knife was seized at the scene, police said. Officers attended the address in Batley and found Ms Angus, from Dewsbury. On Wednesday her family released a statement which said: 'Our lives have been shattered and turned upside down with the news that no parent wants to hear – that our gorgeous daughter and sister is no longer with us. 'Courtney had a beautiful soul. She was a lover of music, socialising and having fun. Her whole family is heartbroken over the loss of such an amazing woman. 'Courtney had many friends and family who loved her. She will be missed so dearly. 'We would like to thank the community and the media for their support, and ask for privacy at this difficult time.' The tribute came as Michael Moore, 37, of Norfolk Street in Batley, was charged with her murder. He has also been charged with possession of a bladed article, affray and two counts of threatening a person with a bladed article in a public place. Police said these charges relate to incidents in Dewsbury on the same day. Moore appeared at Leeds Magistrates Court on Wednesday morning and was remanded in custody before his next appearance at Leeds Crown Court on Friday.
