Virgin Media O2 mobile users' locations exposed for two years in security flaw
Before the fix was implemented on 18 May, anyone with a Virgin Media O2 sim card could use their phone to obtain sensitive information about the network's other customers using a 4G-enabled device, including their location to the nearest mobile mast.
The flaw has now been patched and reported to the UK's communications and data protection regulators. Virgin Media O2 said there was no evidence that its network security systems had been externally breached.
The locations of customers could be tracked most precisely in urban areas, where mobile masts cover areas as small as 100 square metres.
Dan Williams, an IT specialist who discovered the defect, wrote that he was 'extremely disappointed' not to receive a response when he flagged the issue, which was resolved only after he blogged about it two months later, on 17 May. He said there had been no explanation for the delay.
He wrote: 'I don't want to be the enemy, I simply want to feel comfortable using my phone.'
Williams noticed Virgin Media O2's failure to configure its 4G calling software correctly when he was looking at messaging between his device and the network to work out call quality between himself and another O2 customer.
'I noticed that the responses from the network were extremely long, and upon inspection noticed that extra information from the recipient of the call was sent to the call initiator,' he told the Guardian.
This included normally private information, such as the cell ID, which is the current cell tower a caller is connected to; information about sim card, which could be used for a cyber-attack; and the phone model, which can be used to work out how to access it.
He believed that it was 'possible this was used in the wild and not reported against' though there was no way to quantify that. If it had been that would be 'quite a large problem', as 'there are situations where this data is extremely, extremely sensitive', for example domestic abuse survivors or government workers, he added.
'I came across it by accident. Someone purposefully trying to find these kinds of vulnerabilities would have probably come across it,' he said. 'There are white papers detailing this exact scenario and warning networks against doing this.'
The FT, which first reported Williams's findings, said he had tested the problem with another O2 customer, successfully tracking them to Copenhagen, Denmark.
Disabling the 4G calling feature on devices would have prevented them from being tracked, though this is not possible on some handsets, such as iPhones. The issue may have also affected some customers of Giffgaff and Tesco Mobile, which use Virgin Media O2's network.
Sign up to Business Today
Get set for the working day – we'll point you to all the business news and analysis you need every morning
after newsletter promotion
Alan Woodward, cybersecurity professor at Surrey University, said location data 'could be valuable for scams such as social engineering, or even blackmail' and for phishing attempts referencing a recent location, though they would need other information about the person for this to work.
He said this was unlikely to happen for normal people who were not criminal targets, but nevertheless fixing the vulnerability should have been a 'matter of urgency'.
A Virgin Media O2 spokesperson said: 'Our engineering teams had been working on and testing a fix for this configuration issue over a number of weeks, and we can confirm this fix was fully implemented on 18 May.
'Our customers do not need to take any action, and we have no evidence of this issue being exploited beyond the two illustrative examples given by a network engineer in his blog which we reported to the ICO [Information Commissioner's Office] and Ofcom. There has been no external compromise of our network security at any time.'
An Ofcom spokesperson said it was 'aware that O2 has experienced a network security issue', and is in contact with the provider to establish the scale and cause of the problem.
An ICO spokesperson said that after assessing the information provided by Telefonica and remedial steps taken, 'we will not be taking further action at this stage'.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
BBC News
25 minutes ago
- BBC News
Harvey Willgoose death 'no less tragic' if teen cleared of murder
The death of a 15-year-old schoolboy is not "any less tragic or pointless" if the pupil who stabbed him is cleared of murder, a jury has been told. Harvey Willgoose died after he was attacked during his lunch break at All Saints Catholic High School in Sheffield on 3 February.A fellow student, who is also 15, is on trial at Sheffield Crown Court after admitting manslaughter but denying barrister, Gul Nawaz Hussain KC, told jurors on Friday that if they cleared his client of murder, "it doesn't mean Harvey's death is any less tragic or pointless". Mr Hussain said: "A loved son has lost his life, a family have been deprived of him. A family mourns him."Another boy of a similar age had admitted his fault and, whatever happens, will pay the price for it."The defendant has accepted responsibility for what he has done. He needs to pay a price, but that price must be a just one."He told the jury that a not guilty verdict to murder would be the just decision in this case, according to the evidence. 'Final straw' The barrister told the court the defendant had a "horrific home life" and suffered a "background of bullying".He said "all that was what came together" when he encountered Harvey and this was the "final straw".Mr Hussain added that his client had reason to fear he told the jury he wanted to make it "very, very, clear" that he was not "maligning Harvey or dishonouring his memory".He said: "We are not saying that Harvey was all bad or the defendant was all good. Nothing of the sort."He discussed evidence of Harvey's "association with football hooliganism", with one school record describing him as "extremely aggressive and threatening" and a social care record saying he "threatened aggression".A range of interactions have been described between the defendant and Harvey that morning, and Mr Hussain said: "The defendant wanted to avoid Harvey. He did not want trouble."However he described how, in a lesson just before the incident, Harvey had mocked the defendant and been aggressive towards the CCTV footage of the stabbing, Mr Hussain said it could be seen that Harvey was the "first one to make it physical".The barrister said his client thought it was an aggressive approach from Harvey and the fact that he stabbed him so hard, breaking one of his ribs and piercing his heart, was further evidence that he "lost control".He added his client was "so scared of being hurt, so frightened, so devoid of calm, that that boy had never ever felt this way in his life before".The barrister also pointed to how his client was heard to to say "you know I can't control it" by a teacher seconds after stabbing Hussain told the jury this was the "best piece of evidence that you all have as to why (the defendant) did what he did".He concluded his closing speech to the jury on Friday morning and the judge, Mrs Justice Ellenbogen, began summing up the evidence. Listen to highlights from South Yorkshire on BBC Sounds, catch up with the latest episode of Look North
The Independent
25 minutes ago
- The Independent
Why millions of motorists denied payouts after car finance court ruling
The Supreme Court ruled that car finance lenders are not liable for hidden commission payments to millions of drivers, overturning a previous Court of Appeal decision. This decision significantly reduces the potential compensation payout for lenders from an estimated £45bn to between £5bn and £15bn. The court rejected arguments that the payments were 'bribes' or that car dealers had a 'fiduciary duty' to customers, but upheld one case where the finance relationship was deemed unfair. Despite the ruling, consumers who paid particularly large commissions may still be eligible for compensation under the Consumer Credit Act. The Financial Conduct Authority is expected to announce a redress scheme for cases where the relationship is deemed unfair, with experts advising consumers to await further guidance.
Times
29 minutes ago
- Times
Supreme Court puts brakes on car finance payouts but it's not end of road
All it took was a statement from the Financial Conduct Authority in January last year announcing it would 'undertake work' on car loans to set off more than 18 months of turmoil in one of Britain's biggest consumer finance markets. Now, with a landmark ruling on Friday from the country's highest court, consumers, motor finance lenders and car dealers finally have some clarity on the potential scale of any consumer compensation the industry might have to pay. It is good news for the lenders who are on the hook for any redress. This is because the Supreme Court overturned the main arguments put forward by the consumers who brought the cases that might have resulted in a compensation crisis for motor finance providers akin to the £50 billion payment protection insurance (PPI) redress saga. • Consumers denied car finance payouts by Supreme Court While lenders may still end up paying billions in compensation, the worst-case scenario for the industry, which one City analyst had pegged at £44 billion, appears to have been avoided. It is the latest twist in a scandal that had caused consternation at the very top of the government over fears of the size of the hit lenders may face. While motor finance has been around since early in the 20th century, it has exploded in popularity in the UK in recent decades. Between 80 per cent and 90 per cent of new cars are bought using finance. The market is huge, with £18.4 billion in finance provided for 646,080 new cars and £21.3 billion for 1.4 million used vehicles in the 12 months to May, according to the Finance & Leasing Association, which represents the industry. The issue at the heart of the furore is the commissions that lenders pay to car dealers acting as brokers in the sale of motor finance. • Discretionary car finance commission was a disaster waiting to happen They have been in the crosshairs of the FCA, the City regulator, for almost a decade. In 2017, the authority announced a review of the car loans industry over concerns 'there may be a lack of transparency, potential conflicts of interest and irresponsible lending'. This culminated in the FCA's decision to ban so-called discretionary commissions. Under this payment model, the commission paid to the dealer was linked to the interest rate paid by the borrower, which the dealer was allowed to set. This created an obvious conflict because dealers earned more commission if they charged higher interest rates. The authority's ban came into force in January 2021. The regulator estimated that it would save consumers £165 million a year. Yet controversy over commission did not go away. Customer complaints to motor finance firms about pre-ban deals surged. Borrowers argued that commissions had not been disclosed, car dealers had failed to give impartial advice and that they therefore had not received the best deal. There was also a rise in county court claims. Most grievances were rejected by firms and went up to the Financial Ombudsman Service, an independent body that adjudicates on unresolved complaints. It published its first two decisions on representative cases in January last year. One of the disputes related to Black Horse, the car loans division of Lloyds Banking Group that is the UK's biggest motor finance provider, and the other related to a unit of Barclays. In both instances the ombudsman found against the lenders, deciding that they had acted unfairly because the discretionary commissions had not been disclosed to the borrowers, and that they should pay compensation. This immediately prompted the FCA to begin another review of the market, examining discretionary commissions as far back as April 2007, blindsiding the industry with its wide-ranging, retrospective nature. This fuelled City speculation that car loan providers, which include the lending arms of car manufacturers as well as banks, would ultimately be forced to pay consumer compensation totalling billions of pounds and, inevitably, a whole industry of claims management companies and law firms seeking to cash in on redress claims quickly sprang up. • 23m people expecting compensation for car finance scandal Industry data compiled by the authority covering most of the car loans market suggests there were about 25.9 million motor finance deals arranged between 2007 and the end of 2020. Some 14.6 million of these included discretionary commissions of about £8.1 billion. It was just weeks after the authority started its review that the fallout on lenders began to materialise. The first casualty was Close Brothers, a London-listed merchant bank that has large exposure to motor finance relative to the size of its wider loan book. Its shares had slumped following the regulator's announcement after investors identified the 147-year-old lender as being at risk from the inquiry. Their fears were confirmed in February last year when Close revealed it was scrapping its dividend to bolster its balance sheet to prepare for possible compensation payouts. It has since taken a series of emergency actions to boost its capital position by more than £400 million. A week after Close Brothers axed its dividend, Lloyds announced it was setting aside £450 million to cover its potential customer redress bill. This was increased by Lloyds to £1.15 billion this February following a seismic ruling last autumn by the Court of Appeal, which found against lenders MotoNovo and Close in three cases brought by consumers. It was this judgment, which stunned the industry because of its far-reaching implications, that was referred to the Supreme Court after the lenders involved appealed. While the FCA's continuing review relates to discretionary commissions, the Court of Appeal ruled that any commission was unlawful if it was not properly disclosed to, and consented to, by consumers, and that dealers, in their capacity as brokers, had to act in the best interests of their customers because they owed them a fiduciary duty. It also ruled that lenders were liable to compensate consumers for the commissions. By going much further than what had been required under regulation, it immediately caused chaos in the motor finance market, as lenders halted operations to check that they complied with the ruling, and prompted several banks to follow Lloyds by making compensation provisions. They included Santander UK, which set aside £295 million, Close, which has earmarked £165 million, and a £90 million provision by Barclays. The UK motor finance arm of BMW set aside more than £70 million, although this provision pre-dated the Court of Appeal ruling. All of this significantly increased estimates for the overall bill faced by the industry. Some lawyers warned the ruling could have implications for commissions in other areas involving brokers, such as asset finance and energy. • Car finance revival as memories of the mis-selling scandal fade The prospect of another PPI-style scandal unnerved the Treasury, not least because Rachel Reeves, the chancellor, has placed fostering the financial services at the heart of her efforts to boost Britain's faltering economy. This risked being undermined, not just by a big compensation crisis for lenders, but also by the frenzy of activity by claim-chasing companies and law firms that have been seeking to feast on the scandal. Yet the Treasury can breathe a sigh of relief. The Supreme Court on Friday rejected the idea that dealers owed a fiduciary duty to their customers and also dismissed the argument, which had been upheld by the Court of Appeal, that the commissions amounted to a bribe. The industry is not completely out of the woods, however. While the Supreme Court upheld two of the appeals made by the lenders, it backed consumers in the third case. • Common sense has triumphed over compensation culture The FCA also still has to make a decision about discretionary commissions. It previously signalled that it was likely to impose a redress scheme on the industry over these arrangements. It said on Friday night that it would confirm whether it will consult on a compensation scheme before markets open on Monday. Even so, the Finance & Leasing Association hailed the judgment as 'an excellent outcome'. The Treasury, which had been considering bringing in legislation to supersede the court ruling if it threatened a huge compensation blow to lenders, signalled that it would not intervene, with a spokesman saying it respected the judgment. Kate Scott, a partner at the law firm Clifford Chance, called it 'an eminently sensible, commercial decision from the Supreme Court. As any man on the street will confirm: car dealers act in their own interest'.
