Little did consumers know that the smartphones they carried in their pockets also served as a tracking device, not just for phone companies, but for other users thanks to a buggy location demo service.
KrebsOnSecurity reported that a small company called LocationSmart – an aggregator of real-time data of the locations of cell phone users – was inadvertently allowing anyone with free access to the feature without passwords.
The service was enabled on AT&T, Sprint, T-Mobile, and Verizon devices and had the capability of tracking down customers within a few hundred-yard accuracy.
KrebsOnSecurity provided details on how the system works:
LocationSmart's demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device's nearest cellular network tower.
After LocationSmart receives consent from the user, they are sent latitudinal and longitudinal coordinates, via text, on Google Street View maps as confirmation.
Robert Xiao, a security researcher at Carnegie Mellon University found a way to avoid the authentication process after realizing that LocationSmart "failed to perform basic checks to prevent anonymous and unauthorized queries."
The system's flaw left anyone who is Internet savvy to abuse its function.
I stumbled upon this almost by accident, and it wasn't terribly hard to do. This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples' cell phone without their consent.
This is really creepy stuff.
LocationSmart's demo was taken offline on Thursday after the technical snafu.
The company's founder Mario Proietti had no intention for the service to be free, but was meant "for legitimate and authorized purposes."
It's based on legitimate and authorized use of location data that only takes place on consent.We take privacy seriously, and we'll review all facts and look into them.
The gaffe occurred after the New York Times reported on a little-known service called Securus that allowed law enforcers to track down anyone with a U.S.-based smartphone within seconds.
The service suffered a security breach leaking subscribers' usernames and passwords
Stephanie Lacambra from the Electronic Frontier Foundation said that wireless customers are obligated to location tracking enabling by their cellphone carriers by law. The function is relied upon for improving customer service as carriers use the information in the event of an emergency to comply with 911 regulations.
However, Krebs mentioned the inherent danger in third parties compromising customers' security.
But unless and until Congress and federal regulators make it more clear how and whether customer location information can be shared with third-parties, mobile device customers may continue to have their location information potentially exposed by a host of third-party companies, Lacambra said.
H/T - KrebsOnSecurity, Twitter
@islamoradalover/Bluesky
@hillbillybluedog/Bluesky
