LocationSmart had a bug that allowed anyone to track millions of phones in the US.
LocationSmart
It turns out LocationSmart’s phone-tracking feature isn’t smart with security or privacy.
The cell phone tracking firm, which CNET sister site ZDNet discovered was providing location data using “direct connections” to major US wireless carriers, offered a free demonstration on its website for potential customers to track any phone’s location in real time.
In ZDNet’s test, the results were incredibly accurate, pinpointing locations within a city block.
All you had to do for the free trial was make sure that you had consent from the phone number’s owner, which LocationSmart said it would send a text message or phone call to. But a simple bug on LocationSmart’s website allowed a researcher from Carnegie Mellon University to get around that, and track any phone without limitations.
Robert Xiao, a PhD student at Carnegie Mellon University’s Human-Computer Interaction Institute, said he found the bug within 15 minutes after finding LocationSmart’s website. By then, he was certain LocationSmart had a flaw that allowed anyone with an “elementary” understanding of websites to track millions of people online without them knowing and free of charge.
“LocationSmart was basically giving free-for-alls to anyone,” he said.
LocationSmart uses geolocation data it buys from major US wireless carriers, including T-Mobile, Verizon, AT&T and Sprint. While wireless carriers aren’t allowed to provide location data to the government, they have complete free reign to sell that data to other businesses — many which have taken advantage of this loophole.
A New York Times report last week revealed that Securus, an inmate call tracking service, had offered the same technology to find anyone’s phone in the US within seconds. The LocationSmart bug essentially opened this tool up to anybody, the Carnegie Mellon researcher said.
He had tricked LocationSmart’s website because the page was not properly verifying that a person received the required consent. All Xiao needed to do was to have the website return a different format for his requests, he said.
Xiao first tried it on his own phone, and then asked several of his friends to see if he could try it with their phone numbers.
“I had a friend driving around Hawaii, and I watched him driving around the island with his permission,” Xiao said. “It was clear to me at that point, that nobody I had contacted received a text message or notification while I was tracking them.”
After discovering the massive flaw, he reached out to US-CERT, to disclose the vulnerability, and Brian Krebs, who first reported the story.
LocationSmart’s demo page has been pulled offline, and the company did not respond to a request for comment.
Last week, Sen. Ron Wyden, a Democrat from Oregon, requested that the FCC and major wireless carriers investigate into geolocation data abuse.