LocationSmart – a US company that aggregates real-time location data of cellphones – has leaked the location data of all major US mobile carriers, in real time, without their consent, via its buggy website, security journalist Brian Krebs reported on Thursday.
Krebs says the data could be had without a password or any other form of authentication or authorization.
Krebs was tipped off about an unsecured service on the site by Robert Xiao, a security researcher at Carnegie Mellon University who was tinkering with a free demo of a find-your-phone service from LocationSmart. Xiao’s interest had been piqued after he read about the company supplying real-time phone location data to one of its customers – 3Cinteractive – which then reportedly supplied the data to Securus Technologies.
Securus, which provides and monitors calls to inmates, was the subject of a 10 May article from the New York Times, about how its location service – typically used by marketers who offer deals to people based on their location – can easily be used to find the real-time location of nearly any US phone to as close as a few hundred yards.
The issue came to light when a former Missouri sheriff was charged with using a private service to track people’s cellphones without court orders: Cory Hutcheson has been charged with allegedly using Securus at least 11 times to look up people’s information, including that of a judge and members of the State Highway Patrol.
On 15 May, ZDNet reported that Securus was actually getting its data from the carriers by going through an intermediary: 3Cinteractive, which was getting it from LocationSmart.
As an archived version of its website shows, LocationSmart has claimed to have “direct connections to all major wireless carriers providing near-complete coverage for US subscribers.” That includes any AT&T, Sprint, T-Mobile, US Cellular or Verizon phone in the US, coming as close as a few hundred yards. It’s bragged about having access to 95% of the country’s carriers, including smaller ones such as Virgin, Boost, and MetroPCS, as well as Canadian carriers, like Bell, Rogers, and Telus, according to ZDNet.
Kevin Bankston, director of New America’s Open Technology Institute, told ZDNet that the carriers were selling the phone location data to LocationSmart as a workaround, since the Electronic Communications Privacy Act forbids telecom companies from disclosing the data to the government but doesn’t restrict them from disclosure to other companies that may then give it to the government.
ZDNet quoted Bankston:
[The loophole is] one of the biggest gaps in US privacy law.
The issue doesn’t appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this.
Besides exploitation of the legal loophole, the past few weeks have brought news of the data being exposed in multiple ways: first, there was Securus’s admitted failure to properly verify authentication/authorization for access to the data – a failure that Senator Ron Wyden has demanded be investigated by the Federal Communications Commission (FCC) and several major telecommunications companies.
Then there was the flaw in LocationSmart’s website. Krebs reports that Xiao, the Carnegie Mellon University researcher, found that LocationSmart’s demo page required users to consent to having their phone located by the service, but the application programming interface (API) used to display responses to visitors’ queries didn’t prevent or authenticate interaction with the API itself.
Then too, on Wednesday there was another shocker: Motherboard brought us news of a hacker who broke into Securus’s servers to steal 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. The hacker reportedly gave Motherboard some of the stolen data, including usernames and poorly secured passwords – secured with the notoriously weak MD5 algorithm – for thousands of Securus’s law enforcement customers.
A spreadsheet allegedly from a database marked ‘police’ includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year.
This isn’t the first time that Securus has shown itself to be careless with sensitive information. In 2015, The Intercept investigated a hack of Securus’s system that involved 70 million prisoner phone calls.
How hard is it to exploit the API to get at all that sensitive information? Not hard at all, Xiao said:
I stumbled upon this almost by accident, and it wasn’t terribly hard to do This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.
This is really creepy stuff.
LocationSmart took the leaky service offline after Krebs informed the company of Xiao’s findings on Thursday. LocationSmart Founder and CEO Mario Proietti told Krebs that the company is investigating the issue but claimed that the company doesn’t give away data.
We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.
As far as the carriers go, they’re not confirming or denying their connections to LocationSmart, though the company’s site lists their corporate logos. Krebs got a lot of spokespeople who gave him referrals to privacy policies after contacting the four major carriers. One – T-Mobile – said that it shut down the funneling of customers’ location data to Securus after it received Wyden’s letter.
Xiao suggested that without more scrupulous attention to who gets at our phones’ location data under what authority, we should likely gird ourselves for more news of privacy violations when it comes to the tracking devices that ride in our pockets:
We’re going to continue to see breaches like this happen until access to this data can be much more tightly controlled.