Location tracking company LocationSmart has suffered from a data leak. Anyone could track a persons mobile device through their website.
There’s been another security incident. This time, it’s not credit cards, login credentials, or Facebook information being leaked. Instead, it is real-time geo-location information on people’s mobile devices.
The company impacted by this is LocationSmart, a company that operates a website that tracks the locations of mobile devices in real time. A vulnerability recently uncovered on their website allows anyone to access the information without login credentials. Krebs On Security offers the following:
LocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower.
Once that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map. [It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information”].
But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
The posting offers a whole lot more details about the leak, but that should offer a good synopsis of the leak in question.
Since the story first broke, it seems that the severity of the leak caught the attention of American regulators. The Federal Communications Commission (FCC) said that it intends on investigating the incident. From CNET:
The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart’s case was being handled by its Enforcement Bureau.
LocationSmart is able to obtain accurate geolocation data on nearly any phone in the US because it buys that data from major US wireless carriers, including T-Mobile, Verizon, AT&T and Sprint. Though wireless carriers aren’t allowed to provide location data to the government, they can sell that data to businesses.
Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies.
On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart.
“The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk,” Wyden said. “I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans.”
An interesting aspect of this particular data leak is that it’s unlikely that we’ll ever know just how big this one is precisely. Still, it is particularly creepy that one security flaw could enable anyone to track anyone in real time so long as they have a mobile device. That basically means a vast majority of people, really. At any rate, it certainly casts mobile devices in a somewhat different light in light of this latest incident.
Drew Wilson on Twitter: @icecube85 and Google+.