Website Leaks User Locations for All US Mobile Networks

Bugs in a website allowed anyone to track the locations of mobile phone users in the USA, writes Brian Krebs. Data aggregator LocationSmart is a Californian business that can pinpoint AT&T, Sprint, T-Mobile and Verizon phones to within a few hundred yards of their location in the USA. The free demo service on the LocationSmart website allowed people to see the location of their own mobile phone after they submitted their name, email address and phone number. However, security researcher Robert Xiao found the website did not adequately prevent anonymous queries, meaning anyone with a modest knowledge of how to manipulate websites could have used LocationSmart’s service to locate anyone’s phone without needing to identify themselves.

LocationSmart have since disabled their demo. In a statement they asserted nobody but Xiao had used the exploit.

The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.

Earlier this month Motherboard reported on the hacking of a business which supplies mobile phone locations to US law enforcement bodies. The hacker’s actions highlighted both a lack of controls over who can obtain mobile phone location data, and the lax security of businesses that exploit it.

Only the terminally naive are still surprised by this kind of data breach. How many of us have attended events where a salesman has gleefully heralded the business opportunities created by gathering and responding to a customer’s movements? At some point the salesman will solemnly advise that privacy is important too. But the next sentence will return to the theme of how to make money. For 30 minutes of spiel about the value of location data, you will only hear 30 seconds of token reassurance about privacy. I expect this ratio is a useful guide to the amount of money and attention paid to privacy by the businesses so eager to sell the locations of users.

Until now, the people who sell your whereabouts have mostly talked about the location of your mobile phone. Thanks to the internet of things, we will soon have ten times as many devices whose locations can be tracked. From now on, the privacy issue is not whether you can keep your location a secret, but whether there will be any effective limits on who can find you.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.