Due to faulty configurations in its 4G and Wi-Fi calling tech, millions of Virgin Media O2 SIM cards exposed their users’ locations to the nearest cell tower. The SIM cards were leaking the general location of a user since at least February 2023, when the company started using the flawed tech.
The bug was discovered by security researcher Daniel Williams, who reported it to O2 in March 2025, but to no avail. After over a month of no answer from the telecom provider, Williams publicly disclosed the vulnerability on his blog in May 2025. Shortly after, O2 reached out to confirm that it had fixed the issue.
The data was being leaked through SIP headers and included information like the network type, call identifiers, error messages from services processing call information, and more. Williams claims that the messages from the network were “extremely detailed and long,” unlike anything he had seen before on other networks.
O2 insisted that an individual required specialist knowledge to exploit the flaw; however, Williams was able to demonstrate that he could pinpoint general locations of random numbers by using the Network Signal Guru (NSG) app on a rooted Pixel 8.
The process involved intercepting raw IMS signalling messages usually exchanged during phone calls and decoding the cell ID to pinpoint the last cell tower to which the recipient had connected. He then used publicly available tools to find the tower’s GPS coordinates. In urban areas with good tower coverage, the location accuracy was 100 m2. The method also worked if the target was abroad, as Williams demonstrated by locating a test subject in Copenhagen city centre, Denmark.
Regardless, the issue has since been patched, and no action was required on the customer’s part. The issue also affected Giffgaff and Tesco Mobile, whose networks use Virgin Media O2’s coverage.
In the News: Hackers caught using fake AI websites to spread malware
