Bugs in a website allowed anyone to track the locations of mobile phone users in the USA, writes Brian Krebs. Data aggregator LocationSmart is a Californian business that can pinpoint AT&T, Sprint, T-Mobile and Verizon phones to within a few hundred yards of their location in the USA. The free demo service on the LocationSmart website allowed people to see the location of their own mobile phone after they submitted their name, email address and phone number. However, security researcher Robert Xiao found the website did not adequately prevent anonymous queries, meaning anyone with a modest knowledge of how to manipulate websites could have used LocationSmart’s service to locate anyone’s phone without needing to identify themselves.
LocationSmart have since disabled their demo. In a statement they asserted nobody but Xiao had used the exploit.
The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.
Earlier this month Motherboard reported on the hacking of a business which supplies mobile phone locations to US law enforcement bodies. The hacker’s actions highlighted both a lack of controls over who can obtain mobile phone location data, and the lax security of businesses that exploit it.
Only the terminally naive are still surprised by this kind of data breach. How many of us have attended events where a salesman has gleefully heralded the business opportunities created by gathering and responding to a customer’s movements? At some point the salesman will solemnly advise that privacy is important too. But the next sentence will return to the theme of how to make money. For 30 minutes of spiel about the value of location data, you will only hear 30 seconds of token reassurance about privacy. I expect this ratio is a useful guide to the amount of money and attention paid to privacy by the businesses so eager to sell the locations of users.
Until now, the people who sell your whereabouts have mostly talked about the location of your mobile phone. Thanks to the internet of things, we will soon have ten times as many devices whose locations can be tracked. From now on, the privacy issue is not whether you can keep your location a secret, but whether there will be any effective limits on who can find you.