A little-known service has dumped the real-time locations of US mobile phone users to anyone who takes the time to exploit an easy-to-spy network Error in a free trial, the security news site KrebsOnSecurity reported on Thursday.
LocationSmart, as the service is known, identifies the locations of phones connected to AT & T, Sprint, T-Mobile or Verizon, often with an accuracy of several hundred meters, reporter Brian Krebs said. While the company claims that it offers the Location Lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to move anyone's real-time location to others follow. [1
As Cancer Explained:
But according to Xiao, a graduate student at the CMU Human-Computer Interaction Institute, the same service could not conduct any basic checks to prevent anonymous and unauthorized queries. Translation: Anyone who has a minimum of knowledge about how websites work might misuse the LocationSmart demo site to find out how to look up searchable cell phone numbers, without ever having to provide a password or other credentials . 19659003] "I almost stumbled upon it by accident, and it was not very hard to do," Xiao said. "Anyone can discover that with minimal effort, and the essence of it is that I can track most people's phones without their permission."
Xiao said his tests showed he could reliably query LocationSmart's service, to ping the cellphone tower closest to a participant's mobile device. Xiao said he checked a friend's mobile number several times over a few minutes while that friend was moving. By repeatedly pinging the friend's mobile network for several minutes, he was able to plug in the coordinates in Google Maps and follow the direction of his friend's direction.
"This is really scary stuff," Xiao said, adding that he would also successfully test the vulnerable service against a mobile Telus Mobility customer in Canada who volunteered.
Before LocationSmart's demo was taken offline today, KrebsOnSecurity went to five different trusted sources, all of whom agreed to let Xiao determine the whereabouts of their cell phones. Within seconds, Xiao discovered that the public LocationSmart service was polling for the near-exact location of the mobile phone, which belongs to all five of my sources.
One of these sources stated the latitude and longitude returned by Xiao's questions came within 100 yards of their then location . Another source said the location found by the researcher was 1.5 miles from its current location. The remaining three sources indicated that the location for their phones was between about one-fifth and one-third of a mile at that time.
Xiao published a detailed description of the demo bug. It has been shown how simple changes to the web requests of the demo only circumvent the requirement that a site must be queried after a phone user has approved it.
LocationSmart founder and CEO Mario Proietti told Krebs that he never intended to give the service away. "We provide it for legitimate and authorized purposes," Krebs quoted the CEO. "It's based on legitimate and authorized use of location data that happens only with approval, we take privacy seriously, and we check all facts and look at them."
The word of the leak comes five days after another little known A service called Securus reported after the New York Times law enforcement agencies allowed most US-based cell phones to be located within seconds. According to ZDNet, Securus received the information through Carlsbad, California-based LocationSmart. Motherboard later reported that Securus had experienced its own security breach, revealing the usernames and weakly-protected passwords of thousands of Securus customers.
In a statement, Sen. Ron Wyden (D-Ore) wrote: "This leak, just days after the Lax Security at Securus was revealed, shows how few companies throughout the wireless ecosystem value Americans' safety a clear and present danger, not only to the privacy but also to the financial and personal security of every American family, as they appreciate the privacy and security gains of the Americans whose locations they use, the mobile operators and LocationSmart seem almost it Having allowed any hacker with basic Web site knowledge to track the location of an American using a mobile phone. "19659003] Krebs contacted all four major US mobile operators and all refused to confirm or deny a formal relationship with LocationSmart even though LocationSmart uses the company's logos on its website had shown. A spokesperson for T-Mobile said the company had quickly shut down the transaction from customer location data to Securus after its services recently became known. In addition, the companies cited cancer on their privacy policies, all of which prevent the disclosure of location information without the customer's consent or a law enforcement claim.
Krebs went on to quote an official at the Electronic Frontier Foundation, which said mobile operators are required by law to know the approximate location of customers in the event it is needed by emergency 911 services. Whether the forwarders can sell the information to third parties or make it available elsewhere is less clear. Expect it to be examined much more closely in the coming weeks and months.