Flaw in webpage demo could have allowed anyone to track cellphones on major U.S. providers
A company based in San Diego, LocationSmart of Carlsbad, collects real-time data on wireless mobile devices. A computer science student said in a report published today, that a flaw in the company's website could have revealed to anyone, the real-time location of any cellphone running on Verizon, AT&T, T-Mobile or Sprint. The information would have been accurate to within a few hundred yards.
If your first thought is, what purpose do companies like LocationSmart serve, they sell location data to companies that want/need to track their employees. Another part of the business sends text messages about sales and discounts offered by a particular store, to cellphone users who happen to be near, or inside that store. LocationSmart's website lists clients like AAA, FedEx, and Allstate.
If this story sounds familiar, it's because last week we told you about Securus Technologies, a company that was used by a small-town sheriff to track cellphones belonging to the State Highway Patrol between 2014 and 2017 without the use of a warrant. And there is a connection between the two stories; according to Sen. Ron Wyden (D-Ore.), Securus obtained its data from a company called 3Cinterative, which is a customer of LocationSmart.
This past Wednesday, Carnegie Mellon University computer science student Robert Xiao found the flaw in LocationSmart's website. According to Xiao, the bug "allowed anyone, anywhere in the world, to look up the location of a U.S. cellphone. I could punch in any 10-digit phone number, and I could get anyone's location." The site was supposed to allow consumers to test out LocationSmart's service by allowing them to type in their own cell number, and after giving consent via a call or text, see their location (again, within a few hundred yards).
A flaw in LocationSmart's demo platform could have allowed anyone to track any cellphone running on Verizon, AT&T, T-Mobile or Sprint
Xiao discovered the flaw in LocationSmart's website in 15 minutes. The bug allowed him to bypass consent, which in theory would allow him to find the location of any phone using one of the four major wireless carriers in the states. And even scarier was his pronouncement that "It would not take anyone with sufficient technical knowledge much time to find this."
Verizon spokesman Rich Young said that Securus no longer has access to Verizon customers, and added that Verizon is scrutinizing its relationship with LocationSmart. AT&T and Sprint each said that they do not allow third party companies to track subscribers without a consent, a court order or a warrant.
Thanks to Xiao's discovery, LocationSmart took down the flawed page on its website Thursday. The site contained a statement which states that the vulnerability of the "consent mechanism" on its online demo has been resolved and was not exploited prior to May 16th. LocationSmart says that no customer information was obtained without permission and adds that the demo has been disabled. You can find the full statement below.
"LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."-LocationSmart
source: LATimes
Things that are NOT allowed: