LocationSmart website bug allowed anyone to view real-time location data of U.S. wireless customers

locationsmartlogo

It was recently discovered that a bug with a particular website would allow anyone to see where a person and their cellphone were located.

LocationSmart is a company that provides location data to companies that can be used for things like tracking employees and mobile advertising. It offered a free demo on its website that allowed anyone to see the location of their phone by entering their name, email address, and phone number. LocationSmart would text the phone for permission to ping the phone’s nearest tower, and then the company would text the user with their approximate longitude and latitude.

However, security researcher Robert Xiao recently discovered a bug with the LocationSmart website that would allow anyone to track the location of any phone. Xiao found that LocationSmart site did not perform checks to block anonymous queries, and he was able to find the location of mobile phones without any password or anything else. In his testing, Xiao was able to track the location of a friend several times over several minutes, and another test gave Xiao coordinates for a location that was within 100 yards of the person’s location.

LocationSmart’s website includes mentions of all four major U.S. carriers as well as the likes of U.S. Cellular and Google.

locationsmartdemo

The LocationSmart demo was taken offline shortly after the company was made aware of the bug this week. LocationSmart CEO Mario Proietti told KrebsOnSecurity that his company was investigating the issue, adding that LocationSmart makes data available “for legitimate and authorized purposes”. “We take privacy seriously and we’ll review all facts and look into them,” Proietti added.

Today the FCC said that it’s planning to investigate LocationSmart and its website flaw.

All of this news comes days after a similar location data incident. A company called Securus was obtaining location data from LocationSmart and, while Securus was primarily used to monitor phone calls to prison inmates, a former Mississippi County, Mo., sheriff used Securus to track the locations of other peoples’ cellphones without court orders.

When asked about these incidents, a T-Mobile spokesperson gave the following statement to FierceWireless:

“We take the privacy and security of our customers’ data very seriously. We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were resolved and our customers’ information remains is protected. We continue to investigate this.”

Thanks, Casey!

Sources: KrebsOnSecurity, Robert Xiao, Reuters, The New York Times, FierceWireless

Tags: ,

  • The Borg

    The only people worried about this are the one’s who aren’t where they are supposed to be

    • Very appropriate username for this comment.

    • SirStephenH

      Like who, abused spouses, people being stalked, people being illegally tracked by the government, etc?

    • Clifton K. Morris

      There is quite a bit of personal data that people submit to providing to third parties with permission.

      For example, T-Mobile employees and those on a T-Mobile employee rateplan submit to allowing phone calls to be monitored and voicemail also.

      Additionally, T-Mobile customers may also have personal phone calls monitored and cross-referenced to GPS coordinates often for network troubleshooting and “quality”. This rings true especially in areas where customers have filed complaints about quality or making phone calls have been filed.

      Access to this data comes as part of consent to terms and conditions of any employee rateplan agreement or for customers, a cellular contract.

      In this situation, no consent was given, or asked for, which qualifies it as a “data breach” and that makes it very troubling. I have doubts it would survive an audit.

      This data is generally sold to tow truck providers, and road side assistance people, so chain of custody is likely managed as well as the website code.

  • Disqus5218

    “We take privacy seriously”… Really? Then close up shop, and fight to make doing what you do illegal.

    What if someone grabs a phone, affirms consent, then gives it back before someone can tell? This should be a no never forever. There’s apps that do this that you can turn off if you want. No way this should be legal.