A troubling flaw in a popular cellphone tracking service made it possible for anyone to easily access a person’s location data in real time.
The service, called LocationSmart, only required users to request a free demo and they’d be able to track anyone with AT&T, Sprint, T-Mobile and Verizon phones within a few hundred feet, according to Krebs on Security.
LocationSmart customers consented to have the company track their phones’ location, but they didn’t agree to have it be accessed by anyone.
A security researcher says a website flaw at a U.S. company could have allowed anyone to pinpoint the location of nearly any cellphone in the United States
The company took the flawed webpage offline Thursday, a day after Carnegie Mellon University computer science student Robert Xiao discovered the software bug and notified LocationSmart.
The bug ‘allowed anyone, anywhere in the world, to look up the location of a US cellphone,’ Xiao explained.
‘I could punch in any 10-digit phone number and I could get anyone’s location’.
The web page was designed to let visitors test out LocationSmart’s service by entering their cellphone number.
The service would then ring their phone or send a text message to obtain consent, after which it would display the phone’s location within a few hundred yards.
But Xiao found a flaw that allowed him to bypass consent in just 15 minutes.
LocationSmart (pictured) only required users to request a free demo and they’d be able to track anyone with AT&T, Sprint, T-Mobile and Verizon phones within a few hundred feet
Using the website’s application programming interface, Xiao was able to request a phone number’s location data in JSON format, instead of the default XML format.
In doing so, it doesn’t require the user to opt-in to have their location tracked and almost immediately serves up the phone’s longitude and latitude.
‘It would not take anyone with sufficient technical knowledge much time to find this,’ he said.
‘It was just surreal when I discovered this,’ he added.
Xiao’s research indicated that LocationSmart had offered the service since at least January 2017.
LocationSmart purchases geolocation data from many US wireless carriers and provides it to companies for such uses as tracking employees and texting e-coupons to customers near relevant stores.
It counts the American Automobile Association, FedEx and Allstate as a few of its clients.
LocationSmart touts itself as the ‘world’s largest location-as-service company.’
It says it obtains location information from all major U.S. and Canadian wireless companies, with 95 percent coverage.
Wireless carriers cannot provide location data to the government, but they can sell it to third party organizations.
The LocationSmart flaw is the latest case to underscore how easily wireless carriers can share or sell consumers’ geolocation information without their consent.
It was reported earlier this month that a firm called Securus Technologies provided location data on mobile customers to a former Missouri sheriff accused of using the data to track people without a court order.
On Wednesday, Motherboard reported that Securus’ servers had been breached by a hacker who stole user data that mostly belonged to law enforcement officials.
Securus may have obtained its location data indirectly from LocationSmart.
Securus officials told the office of Sen. Ron Wyden, an Oregon Democrat, that they obtained the data from a company called 3Cinterative, said Wyden spokesman Keith Chu. LocationSmart lists 3Cinteractive among its customers on its website.
Wyden said the LocationSmart and Securus cases underscore the ‘limitless dangers’ Americans face due to the absence of federal regulation on geolocation data.
‘A hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cellphone to know when they were alone,’ he said in a statement.
Securus Technologies provided location data on mobile customers to a former Missouri sheriff accused of using the data to track people without a court order
Representatives for AT&T and Sprint said they don’t allow sharing of location information without individual consent or a lawful order such as a warrant.
Verizon spokesman Rich Young said the company has taken steps to ensure that Securus can no longer request information on the company’s wireless customers and that it was reviewing its relationship with LocationSmart.
T-Mobile did not immediately respond to a request for comment.
Gigi Sohn, a former top aide at the Federal Communications Commission during the Obama administration, said user location data has been at high risk since last year.
That’s when Congress repealed FCC privacy rules barring mobile wireless carriers from sharing or selling it without customers’ express “opt-in” consent.
‘At a bare minimum, consumers should be able to choose whether a company like LocationSmart should have access to this data at all,’ she said.