A researcher discovered a bug in the LocationSmart website that allowed tracking of millions of phones.
LocationSmart, a service that pinpoints the locations of phones connected to major US networks such as AT&T, Sprint, T-Mobile and Verizon, was found to have a bug that allowed the tracking of millions of phones.
According to security reporter Brian Krebs, the accuracy of the service was often a matter of a few hundred yards.
A fault in a demo tool
The company said it only provides the location look-up service for authorised purposes, but a demo tool on the website was available for anyone to covertly use in order to track a device. The tool asked interested individuals to input their name, email address and phone number into a web form. The phone number would then receive a text asking for permission to query the mobile phone tower closest to the phone in question.
An accidental discovery
A researcher at Carnegie Mellon University easily found a way to circumvent the authorisation process. Robert Xiao, a PhD candidate at the university’s Human-Computer Interaction Institute, found that the service failed to carry out rudimentary checks to prevent anonymous and unauthorised queries. In short, anyone with a little knowledge about websites could abuse LocationSmart’s demo to look up any mobile number.
Xiao said: “I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort. And the gist of it is, I can track most people’s cell phones without their consent.”
He was able to track the mobile number of a friend over several minutes as they were moving, and he then plugged those coordinates into Google Maps to track their directional movement. Xiao disclosed the bug to the company with the help of US-CERT and the demo site was taken offline. He warned that the bug could have exposed as many as 200m devices.
One of the APIs used in the demo page was not properly validating the consent response, with Xiao adding that it was simple for him to skip the step where the API sends the text message to the user in order to obtain consent.
Major issues with location tracking
Earlier in May, The New York Times reported that another tracking firm, Securus Technologies, had been selling or giving away location data on customers from a wide variety of US providers to a sheriff’s office in Mississippi County.
Motherboard then found that a hacker had broken into Securus servers and stole 2,800 email addresses, phone numbers and hashed passwords, many belonging to law enforcement officials all over the US. Securus was apparently getting its data from an intermediary: LocationSmart.
LocationSmart co-founder and CEO Mario Proietti said the company was looking into the events. “We don’t give away data; we make it available for legitimate and authorised purposes. It’s based on legitimate and authorised use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”
Location aggregators are a prime target for bad actors, from hackers to adversarial intelligence agencies.
US senator Ron Wyden told ZDNet that the bug was a major scandal for carriers and location aggregators alike. “It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.”
Many US privacy experts pointed to the fact that subscriber location tracking rules are governed by a law passed in 1986, which is undoubtedly dated. Xiao called for stricter controls on sharing this type of data.