A week ago US senator John Wyden made a formal complaint to the FCC about a phone tracking system that can be used by the police to track almost any phone in the US. Now, evidence has emerged that a second, much more terrifying phone tracking service, has been permitting just about anybody to track US cell phones.
The system is called LocationSmart, and it is a phone tracking service that can pinpoint the location of cell phones connected to carrier networks belonging to Verizon, AT&T, Sprint, and T-Mobile.
Unbelievably, security researcher, Brian Krebs, has now revealed that a bug - which is extremely easy to exploit - has been found in the free demo of the location tracking tool.
That free to use API, which was available on LocationSmart’s website until recently, had been permitting anybody with a basic coding knowledge work to track just about any cell phone in the US.
Where are you?
The location tracking demo existed to permit consumers to check the viability of the technology by permitting them to check the location of their own phone. It worked by letting prospective customers enter their name, email address, and phone number into an online form. Following that, the user received an SMS message asking for their permission to approximate their phone's position using cell tower triangulation.
However, a researcher working at Carnegie Mellon University discovered a way to bypass the SMS authorization process. The result? The ability to query the location of any phone in the US using the online demo tool.
Easy to exploit
According to Robert Xiao from Carnegie Mellon’s Human-Computer Interaction Institute, he found the bug by chance:
"I stumbled upon this almost by accident, and it wasn’t terribly hard to do.
"This is something anyone could discover with minimal effort. And the gist of it is I can track most people's cell phones without their consent.”
In Xiao’s detailed blog about the bug, he explains that easy to carry out changes to the demo's Web requests allowed anybody to bypass the necessity for phone users to approve via SMS before being tracked. Xiao tested the bug by tracking his friend’s phone a number of times and was successfully able to track him in real time. "This is really creepy stuff,” he commented.
Xiao also explained that "because this is carrier-based, it works regardless of phone operating system or the privacy settings on the device itself. There is no ability to opt-out".
Mario Proietti the CEO of LocationSmart has gone on the record to say that the firm will be launching an investigation into what happened. The demo tool has already been removed from the website. According to Proietti, the API was made available for "legitimate and authorized purposes” only. Talking about the service, he commented:
"It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”
Senator Ron Wyden has again expressed his anger at the lackluster way that consumer data is being treated by telecoms companies and the third parties they work with:
"This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security. It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family.
"Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.”
Legal grey area
Krebs approached the four cell phone carriers involved but all refused to confirm or deny that they had worked with LocationSmart. Although unconfirmed, Krebs claims that it is possible that the demo has been available to exploit since as early as 2011, and definitely since January of 2017.
According to Electronic Frontier Foundation's staff attorney, firms are required by law to keep location data in order to make it available to emergency services. However, it remains a grey area whether it is legal for carriers to also sell that data to firms like LocationSmart and Securus without first gaining direct permission from consumers. Krebs said:
"A third-party firm leaking customer location information not only would almost certainly violate each mobile providers own stated privacy policies, but the real-time exposure of this data poses serious privacy and security risks for virtually all U.S. mobile customers."
For now, we will have to wait and see what comes of the FCC’s investigation. However, one thing is for sure, this isn't going to be easily brushed under the carpet.