A researcher discovered a bug on the LocationSmart website that was able to track millions of phones.
LocationSmart, a service that locates the locations of phones connected to major US networks such as AT&T, Sprint, T-Mobile, and Verizon, was found to have a bug that allowed millions of phones to be tracked.
According to a security reporter Brian Krebs, the accuracy of the service was often a few hundred meters.
A defect in a demonstration tool
The company said it only provides the location finder service for authorized purposes, but a demo tool on the website is available for anyone to use covertly to track a device. The tool asked interested people to enter their name, email address and phone number in a web form. The phone number would then receive an SMS requesting permission to interrogate the cell phone tower closest to the phone in question.
A fortuitous discovery
A Carnegie Mellon University researcher easily found a way around the authorization process. Robert Xiao, a doctoral student at the university’s Institute for Human-Machine Interaction, found that the service had failed to perform rudimentary checks to prevent anonymous and unauthorized requests. In short, anyone with a little knowledge of websites could abuse LocationSmart’s demo to find any mobile number.
Xiao said, âI ran into it almost by accident, and it wasn’t very difficult to do. It is something that anyone could discover with minimal effort. And the bottom line is that I can track most people’s cell phones without their consent.
He was able to track a friend’s cell phone number for several minutes as he moved, then he connected those coordinates to Google Maps to track his directional movement. Xiao disclosed the bug to the company with help from US-CERT, and the demo site was taken offline. He warned that the bug could have exposed up to 200m of devices.
One of the APIs used in the demo page did not properly validate the consent response, with Xiao adding that it was easy for him to skip the step where the API sends the text message to the user in order to get their consent. consent.
Major issues with location tracking
Earlier in May, The New York Times reported that another tracking company, Securus Technologies, sold or donated location data on customers from a wide variety of U.S. vendors to a Mississippi County sheriff’s office.
Motherboard then discovered that a hacker had broken into Securus’ servers and stole 2,800 hashed email addresses, phone numbers and passwords, many of which belonged to state law enforcement officials -United. Securus apparently obtained its data from an intermediary: LocationSmart.
LocationSmart co-founder and CEO Mario Proietti said the company is reviewing the events. âWe don’t give data; we make it available for legitimate and authorized purposes. It is based on a legitimate and authorized use of location data which only takes place with consent. We take privacy seriously and will look at all the facts and consider them. “
Location aggregators are a prime target for bad actors, from hackers to conflicting intelligence agencies.
US Senator Ron Wyden said ZDNet that the bug was a major scandal for carriers and location aggregators. âThis poses a clear and present danger, not only to privacy but to the financial and personal security of every American family. Because they value profits more than the privacy and security of the Americans they traffic, mobile carriers and LocationSmart seem to have allowed almost any hacker with basic knowledge of websites to track the location of any American with a cell phone.
Many US privacy experts have pointed out that the rules for locating subscribers are governed by a law passed in 1986, which is undoubtedly dated. Xiao called for tighter controls on the sharing of this type of data.