Easily found bug in free demo let visitors track phones from four top US carriers.
Enlarge / An image from the LocationSmart website.
A little-known service has been leaking the real-time locations of US cell phone users to anyone who takes the time to exploit an easily spotted bug in a free trial feature, security news site KrebsOnSecurity reported Thursday.
LocationSmart, as the service is known, identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. While the firm claims it provides the location lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.
The tool was billed as a demonstration prospective customers could use to see the approximate location of their own mobile device. It required interested people to enter their name, email address, and phone number into a Web form. LocationSmart would then text the phone number and request permission to query the cellular network tower closest to the device. It didn’t take long for Robert Xiao, a security researcher at Carnegie Mellon University, to find a way to work around the authorization requirement.
As Krebs explained:
But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: anyone with a modicum of knowledge about how websites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most people’s cell phones without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found.
Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.
One of those sources said the longitude and latitude returned by Xiao’s queries came within 100 yards of their then-current location. Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately one-fifth to one-third of a mile at the time.
Xiao published a detailed description of the demo bug. It showed how simple changes to the demo’s Web requests were able to bypass the requirement a location be queried only after a phone user approved.
LocationSmart founder and CEO Mario Proietti told Krebs he never intended to give away the service. “We make it available for legitimate and authorized purposes,” Krebs quoted the CEO as saying. “It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”
Word of the leak comes five days after another little-known service called Securus came to national attention after The New York Times reported it allowed law enforcement officers to locate most US-based cell phones within seconds. According to ZDNet, Securus got the information through Carlsbad, California-based LocationSmart. Motherboard later reported that Securus experienced its own security breach that exposed the usernames and weakly protected passwords of thousands of Securus customers.
In a statement Sen. Ron Wyden (D-Ore) wrote: “This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security. It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.”
Krebs contacted all four of the major US mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers’ corporate logos on its website. A T-Mobile spokesperson said the company quickly shut down any transaction of customer location data to Securus after its services recently became known. Other than that, the companies referred Krebs to their privacy policies, which all prevent the sharing of location information without customer consent or a demand from law enforcement.
Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it’s needed by emergency 911 services. Whether the carriers are permitted to sell or otherwise provide the information to other third parties is less clear. Expect there to be much more scrutiny about this in the coming weeks and months.