On Tuesday we covered a disturbing story from the New York Times and ZDnet.com detailing how some of the country’s largest cellular providers have been selling your real-time location information, allowing a Texas-based prison technology company, Securus, to track any phone “within seconds” – all without a warrant – through an intermediary called LocationSmart.
Now, as KrebsOnSecurity reports, in addition to a story from Motherboard on a hacker which had broken into the Securus servers and stolen the usernames, email addresses, phone numbers and other information of 2,800 users – mostly law enforcement, it turns out that a flaw in LocationSmart’s tracking demo website gave anyone the ability to surveil anyone else’s cell phone on the open web.
Several hours before the Motherboard story went live, KrebsOnSecurity heard from Robert Xiao, a security researcher at Carnegie Mellon University who’d read the coverage of Securus and LocationSmart and had been poking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out its mobile location technology. –KrebsOnSecurity
The demo, which has since been taken down, was a free service that would give anyone the approximate location of their own cell phones by entering their name, email address and phone number into a form. LocationSmart’s service would then text the supplied phone number and request permission to ping that device’s nearest cellular tower. Once consent was obtained, the service would then reveal the subscriber’s approximate latitude and longitude on a Google Street View map.
But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will,