Little did consumers know that the smartphones they carried in their pockets also served as a tracking device, not just for phone companies, but for other users thanks to a buggy location demo service.
KrebsOnSecurity reported that a small company called LocationSmart – an aggregator of real-time data of the locations of cell phone users – was inadvertently allowing anyone with free access to the feature without passwords.
The service was enabled on AT&T, Sprint, T-Mobile, and Verizon devices and had the capability of tracking down customers within a few hundred-yard accuracy.
It's starting to feel like everyone in charge of our sensitive data might be incompetent. It's only been a day sinc… https://t.co/nr8e57jtDt— Jason Caston (@Jason Caston) 1526589194.0
KrebsOnSecurity provided details on how the system works:
LocationSmart's demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device's nearest cellular network tower.
After LocationSmart receives consent from the user, they are sent latitudinal and longitudinal coordinates, via text, on Google Street View maps as confirmation.
Sometimes it feels like, somebody's watching YOU.
I discovered a bug in LocationSmart's API that allowed *anyone* to access *any phone's location* without any consen… https://t.co/SmI4Kzs2IU— Robert Xiao (@Robert Xiao) 1526582717.0
Robert Xiao, a security researcher at Carnegie Mellon University found a way to avoid the authentication process after realizing that LocationSmart "failed to perform basic checks to prevent anonymous and unauthorized queries."
The system's flaw left anyone who is Internet savvy to abuse its function.
I stumbled upon this almost by accident, and it wasn't terribly hard to do. This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples' cell phone without their consent.
This is really creepy stuff.
Technical details of the bug are now published at https://t.co/48oXoTnizE.— Robert Xiao (@Robert Xiao) 1526591551.0
LocationSmart's demo was taken offline on Thursday after the technical snafu.
@nneonneo @briankrebs LocationSmart is literally the evil plot of 2000's Charlie's Angels :: https://t.co/oM8Nwr23Ke— Rogue P. Bigh🌸m (@Rogue P. Bigh🌸m) 1526587573.0
The company's founder Mario Proietti had no intention for the service to be free, but was meant "for legitimate and authorized purposes."
It's based on legitimate and authorized use of location data that only takes place on consent.We take privacy seriously, and we'll review all facts and look into them.
Fucking hell; this is geolocation madness. LocationSmart had a demo on its site for potential customers. But it was… https://t.co/bdQtvkJ1FV— Joseph Cox (@Joseph Cox) 1526584621.0
@josephfcox Sweet. I have some stalking to do tonight.— Zentrification (@Zentrification) 1526595737.0
The gaffe occurred after the New York Times reported on a little-known service called Securus that allowed law enforcers to track down anyone with a U.S.-based smartphone within seconds.
The service suffered a security breach leaking subscribers' usernames and passwords
Stephanie Lacambra from the Electronic Frontier Foundation said that wireless customers are obligated to location tracking enabling by their cellphone carriers by law. The function is relied upon for improving customer service as carriers use the information in the event of an emergency to comply with 911 regulations.
Wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to… https://t.co/S3cxG1E5AH— Ron Wyden (@Ron Wyden) 1526656336.0
Statement from @RonWyden on today's news that Americans' real-time cell phone location data was exposed by Location… https://t.co/qsc7aP21RE— Zack Whittaker (@Zack Whittaker) 1526593269.0
However, Krebs mentioned the inherent danger in third parties compromising customers' security.
But unless and until Congress and federal regulators make it more clear how and whether customer location information can be shared with third-parties, mobile device customers may continue to have their location information potentially exposed by a host of third-party companies, Lacambra said.
@josephfcox It begs the question what audits carriers are undertaking. Accountability— Privacy Matters (@Privacy Matters) 1526593157.0
H/T - KrebsOnSecurity, Twitter