A cell-phone tracking service called LocationSmart reportedly made anyone’s location available for the asking through a flaw in a public demo website.
The site was designed to require a user to opt in through their phone before disclosing their location, but an apparent error in an API it used made it possible for anyone to get anyone else’s geographic coordinates without their consent, simply by asking for the data in a particular format, according to a blog post by Robert Xiao, the Carnegie Mellon University researcher who spotted the bug.
“That’s all,” he wrote. “The entire consent process is bypassed and you have the phone’s location.”
Under normal circumstances, the demo will only track phones in real time after receiving opt-in consent from the phone’s user via an automated text message or phone call. But using the application programming interface (API) that powers the demo, Xiao requested a phone number’s location in JSON format, instead of the default XML format.
“For some reason,” he writes, “this also suppresses the consent (“subscription”) check,” a bit of code the API typically uses to require that consent has been obtained. In return, Xiao received a page with the phone’s latitude and longitude.
Location information was available for subscribers to at least the four largest U.S. carriers–Verizon, AT&T, T-Mobile, and Sprint–according to KrebsOnSecurity, which first reported the story. LocationSmart told KrebsOnSecurity the company was investigating the matter and didn’t immediately respond to an inquiry from Fast Company. By Thursday, the location-tracking demo page was no longer online.
“We take privacy seriously, and we’ll review all facts and look into them,” CEO Mario Proietti told KrebsOnSecurity.
LocationSmart has been in the news lately after reports that phone carriers make real-time subscriber location data available to law enforcement through the company. A former Missouri sheriff pleaded not guilty to illegal surveillance charges after he allegedly used the location data, reportedly obtained through law enforcement tech company Securus, which got it through LocationSmart, to illegally track people.
States vary as to whether a warrant is needed to access that kind of data. But Kevin Bankston, director of New America’s Open Technology Institute, told ZDNet it’s generally not illegal for cell carriers to share the data with other companies, even if they in turn share it with the government. Consumers, meanwhile, have no ability to opt-out.
Legislators and activists have called for tighter and more uniform regulation of cell-phone data. Senator Ron Wyden sent a letter to FCC Chairman Ajit Pai last week asking that the FCC investigate the matter. “I am also asking the major wireless carriers to investigate their own practices and the obvious potential for abuse,” the Oregon Democrat wrote.
Securus, which is also known for providing telecom service in prisons and jails, was itself hacked back in 2015, exposing 70 million prisoners’ phone calls, The Intercept reported at the time, and again more recently with a hacker apparently extracting contact data for law enforcement officials, Motherboard reported this week. The company said it’s investigating. With the swell of revelations and exposures, expect many others to be investigating, too.