A company that provides other companies with cell phone location-tracking services had an API on its website that inadvertently allowed anyone to freely look up the location of almost any cell phone in the United States.
The bug was in a demo that the company, LocationSmart, posted on its website. The demo was to show people that it could approximate their phones’ locations using nearby cell towers. A report published Thursday by independent security journalist Brian Krebs shows that it would have been easy for someone to abuse the demo to secretly locate nearly any U.S. phone.
LocationSmart is a location-as-a-service company that gives its customers the ability to “track assets, connect with employees and engage with customers through one secure interface,” according to its website.
The demo sent a text message to a device to get permission from its owner before pinging the nearest cell phone tower in order to send back an approximate location via Google Maps.
Krebs writes that Robert Xiao, a security researcher and Ph.D. candidate at Carnegie Mellon University, contacted him after discovering that the demo did not properly protect against unauthorized queries.
I discovered a bug in LocationSmart's API that allowed *anyone* to access *any phone's location* without any consent required. Works on major US carriers and even some Canadian ones. Utterly frightening stuff. Thanks @briankrebs for writing up the report. https://t.co/kdRVe9tthg
— Robert Xiao (@nneonneo) May 17, 2018
The problem is with the demo’s insecure API, as detailed in a separate technical writeup posted by Xiao. A mildly savvy person could interact with the API in a way that would allow them to plug in any phone number and retrieve the phone’s approximate geo-location without notifying the owner.
“In short, an unused location tracking mode in their locator demo did not properly validate that consent was received,” Xiao told CyberScoop in an email. “I estimate that it took me around 15 minutes to find and develop the exploit – not a long time at all. I would not consider it a hard bug to find.”
LocationSmart has since taken down the demo. But Krebs writes that before that happened, he and Xiao were able to locate five people’s cell phones (with consent) within 100 yards to 1.5 miles using Xiao’s exploit.
A spokesperson for LocationSmart told CyberScoop by email that the vulnerability has been resolved, but did not say whether the company plans to republish the demo.
“We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission,” the spokesperson said. “LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.”
Xiao writes that he coordinated disclosure of the bug with US-CERT, the Department of Homeland Security’s cyberthreat alert division.
According to Krebs, Xiao’s attention was drawn to LocationSmart after ZDNet reported earlier this week that it provides data to Securus. Securus is a prison telephone service company that recently earned headlines because of location-tracking services it provides to law enforcement.
Incidentally, Securus was also recently hacked, as reported by Motherboard.
LocationSmart says on its website that it has “direct connections to the wireless carrier networks,” which it would need to provide the location services it advertises.
The nature of the company’s relationship with carriers is unclear. Krebs writes that LocationSmart’s home page displayed the logos of all four major U.S. wireless carriers and several other technology companies. An archive of the website confirms that. However, as of this this story’s publishing, the site no longer features those logos.
An AT&T spokesperson said in a statement: “We don’t permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action.”
A spokesperson for Sprint similarly said: “We do not knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request such as a validated court order from law enforcement. If we become aware of any of our customers violating the terms of our contract, we will take immediate action.”
T-Mobile was a bit more direct about its relationship with Securus and LocationSmart.
A T-Mobile spokesperson said: “We take the privacy and security of our customers’ data very seriously. We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were resolved and our customers’ information is protected. We continue to investigate this.”
Verizon did not respond to a request for comment.
This story has been updated with a quotes from LocationSmart and T-Mobile