Real-time Locations Of Most US Cell Phones Leaked By An Exploited Website
A little-known service has been leaking the real-time locations of US cell phone users to anyone who takes the time to exploit an easily spotted bug in a free trial feature, security news site KrebsOnSecurity reported Thursday.
LocationSmart, as the service is known, identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. While the firm claims it provides the location lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.
The tool was billed as a demonstration prospective customers could use to see the approximate location of their own mobile device. It required interested people to enter their name, email address, and phone number into a Web form. LocationSmart would then text the phone number and request permission to query the cellular network tower closest to the device. It didn’t take long for Robert Xiao, a security researcher at Carnegie Mellon University, to find a way to work around the authorization requirement.
Xiao published a detailed description of the demo bug. It showed how simple changes to the demo’s Web requests were able to bypass the requirement a location be queried only after a phone user approved.
LocationSmart founder and CEO Mario Proietti told Krebs he never intended to give away the service. “We make it available for legitimate and authorized purposes,” Krebs quoted the CEO as saying. “It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”
Word of the leak comes five days after another little-known service called Securus came to national attention after The New York Times reported it allowed law enforcement officers to locate most US-based cell phones within seconds. According to ZDNet, Securus got the information through Carlsbad, California-based LocationSmart. Motherboard later reported that Securus experienced its own security breach that exposed the usernames and weakly protected passwords of thousands of Securus customers.
In a statement Sen. Ron Wyden (D-Ore) wrote: “This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security. It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.”