Oops. Customers of all major US mobile carriers have their location data leaked without their consent
A major privacy breach has occurred in the United States, after a security researcher found that a website flaw accidentally revealed the location data of customers of all major American mobile operators.
The real-time location of 200 million Americans was revealed because of a fault with the website of a location monitoring company based in California. LocationSmart collects mobile phone location data, which it sells to businesses to help them keep track of employees and assets.
The US communications regulator has confirmed to Reuters that the FCC will investigate the matter.
The flaw was discovered by Robert Xiao, a security researcher and PhD student at Carnegie Mellon University, who reported the issue to security researcher and journalist Brian Krebs.
Xiao had experimented on a free demo tool that LocationSmart had made available on its Website for potential customers to try out its mobile location technology.
People could see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then text the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower.
Once that consent is obtained, LocationSmart can plot the coordinates on a Google Street View map.
But Xiao found that the LocationSmart tool fails to perform basic checks to prevent anonymous and unauthorised queries. This means that anyone reasonably technical could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups, all without ever having to supply a password or other credentials.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao told Krebs. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. The researcher also apparently checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
“This is really creepy stuff,” Xiao said. It affects all customers of major US carriers, as well Telus Mobility in Canada.
KrebsOnSecurity said that it pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones, before the demo was taken offline.
Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of Krebs volunteers.
LocationSmart Founder and CEO Mario Proietti told Krebs that the company was investigating.
“We don’t give away data,” Proietti said. “We make it available for legitimate and authorised purposes. It’s based on legitimate and authorised use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”
LocationSmart spokeswoman Brenda Schafer told Reuters last Friday that the vulnerability “has been resolved and the demo has been disabled.”
Location data can be a valuable commodity. In 2016 researchers at Binghamton University developed a system for smartphones to prevent data about a user’s location from being leaked to those who may use it for malicious purposes.
The system, implemented as a smartphone application, helps to prevent location information such as local searches, GPS data and interactions with restaurant listings apps from falling into the hands of unauthorised third parties.
Do you know all about security? Try our quiz!