A little-known service has been leaking the real-time locations of US cell phone users to anyone who takes the time to exploit an easily spotted bug in a free trial feature, security news site KrebsOnSecurity reported Thursday.
LocationSmart, as the service is known, identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said.
The tool was billed as a demonstration prospective customers could use to see the approximate location of their own mobile device. It required interested people to enter their name, email address, and phone number into a Web form. LocationSmart would then text the phone number and request permission to query the cellular network tower closest to the device. It didn’t take long for Robert Xiao, a security researcher at Carnegie Mellon University, to find a way to work around the authorization requirement.
As Krebs explained:
But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: anyone with a modicum of knowledge about how websites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, .
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most people’s cell phones without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found.
Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.
One of those sources said the longitude and latitude returned by Xiao’s queries . Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately one-fifth to one-third of a mile at the time.
Xiao published a detailed description of the demo bug. It showed how a simple changes to the Web requests that made the demo worked were able to bypass the requirement a location be queried only after a phone user approved.
LocationSmart founder and CEO Mario Proietti told Krebs he never intended to give away the service. “We make it available for legitimate and authorized purposes,” Krebs quoted the CEO as saying. “It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”
Word of the leak comes five days after another little-known service called Securus came to national attention after reported it allowed law enforcement officers to locate most US-based cell phones within seconds. According to ZDNet, Securus got the information through Carlsbad, California-based LocationSmart. Motherboard later reported that Securus experienced its own security breach that exposed the usernames and weakly protected passwords of thousands of Securus customers.
Krebs contacted all four of the major US mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers’ corporate logos on its website. A T-Mobile spokesperson said the company quickly shut down any transaction of customer location data to Securus after its services recently became known. Other than that, the companies referred Krebs to their privacy policies, which all prevent the sharing of location information without customer consent or a demand from law enforcement.
Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it’s needed by emergency 911 services. Whether the carriers are permitted to sell or otherwise provide the information to other third parties is less clear. Expect there to be much more scrutiny about this in the coming weeks and months.