A troubling flaw in phone tracking company LocationSmart’s demo tool, used to advertise its services, let anyone take advantage of an easily exploited flaw to track phones from America’s top four carriers without the user’s consent or knowledge, according to KrebsOnSecurity. The demo site was reportedly taken down yesterday after Krebs contacted LocationSmart.
LocationSmart is the same company reportedly providing location data to Securus, which is named in an ongoing investigation surrounding the alleged abuse of its location tracking services by law enforcement and was recently the victim of a data breach that revealed login credentials among other information.
A New York Times report highlighted the use of Securus by former Missouri sheriff Corey Hutcheson, who allegedly used it to track other members of law enforcement. The company primarily advertises its inmate communication services, but also provides a cell phone tracking service powered by location data, normally used by marketing companies, from AT&T, T-Mobile, Verizon, and Sprint. Securus reportedly obtained its location data from 3Cinteractive which obtained its data from LocationSmart.
That brings us to LocationSmart, which advertises to businesses looking to monitor the location of their employees (gross). On its site, the company bills itself as a “Worldwide leader in Location APIs with a trusted enterprise mobility platform for verification, compliance, cybersecurity, proximity marketing and operational efficiencies.” Carnegie Mellon University researcher Robert Xiao discovered a flaw in LocationSmart’s demo tool, which asked users to enter a name and email address, as well as their own phone number. Users would receive a text from LocationSmart requesting location data, and receive their latitudinal and longitudinal coordinates on a Google Street View map.
The reported flaw existed thanks to some lax security when it came to requesting and verifying consent. Xiao says he was able to request the same location data in a different format, JSON, instead of XML, bypassing the consent requirement. According to Xiao, he then enlisted volunteers for testing, including a friend whose direction he was able to track by repeatedly requesting his location from LocationSmart’s demo. Xiao’s test reportedly revealed the location data to be accurate within 100 yards.
And no, you can’t put a tin foil hat on and use a flip phone instead of your iPhone X. “Note that because this is carrier-based, it works regardless of phone operating system or the privacy settings on the device itself,” Xiao said in his explanation. “There is no ability to opt-out.”
LocationSmart has since taken the demo tool offline, and told Krebs the company was investigating the issue. “We don’t give away data,” LocationSmart founder and CEO Mario Proietti told Krebs, saying said the company only makes data available for “legitimate and authorized purposes.”
We have reached out to LocationSmart for comment and will update this story if and when they respond.