Company Selling Real-Time Cell Phone Tracking Ends Up Leaking Location Data

On Tuesday we covered a disturbing story from the New York Times and ZDnet.com detailing how some of the country's largest cellular providers have been selling your real-time location information, allowing a Texas-based prison technology company, Securus, to track any phone "within seconds" - all without a warrant - through an intermediary called LocationSmart. 

Now, as KrebsOnSecurity reports, in addition to a story from Motherboard on a hacker which had broken into the Securus servers and stolen the usernames, email addresses, phone numbers and other information of 2,800 users - mostly law enforcement, it turns out that a flaw in LocationSmart's tracking demo website gave anyone the ability to surveil anyone else's cell phone on the open web.

Several hours before the Motherboard story went live, KrebsOnSecurity heard from Robert Xiao, a security researcher at Carnegie Mellon University who’d read the coverage of Securus and LocationSmart and had been poking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out its mobile location technology. -KrebsOnSecurity

The demo, which has since been taken down, was a free service that would give anyone the approximate location of their own cell phones by entering their name, email address and phone number into a form. LocationSmart's service would then text the supplied phone number and request permission to ping that device's nearest cellular tower. Once consent was obtained, the service would then reveal the subscriber's approximate latitude and longitude on a Google Street View map. 

As Krebs notes, "It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information." 

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”

Xiao's tests showed that he could easily command LocationSmart's service to ping the closest cell phone tower to a subscriber's mobile device. He says he checked a friend's cell phone number multiple times over a few minutes while that friend was moving - and he was able to manually plug the provided coordinates into Google Maps to track his directional movement. 

“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found. (Krebs)

Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.

One of the queries "came within 100 yards of their then-current location" says Krebs, while another was 1.5 miles away. The remaining participants in the test say that the results were accurate to approximately 1/5 to 1/3 of a mile at the time. 

When Krebs reached out to LocationSmart Founder and CEO Mario Proietti, he said that the company was investigating. 

“We don’t give away data,” Proietti said. “We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”

It’s not clear exactly how long LocationSmart has offered its demo service or for how long the service has been so permissive; this link from archive.org suggests it dates back to at least January 2017. This link from The Internet Archive suggests the service may have existed under a different company name — loc-aid.com — since mid-2011, but it’s unclear if that service used the same code. Loc-aid.com is one of four other sites hosted on the same server as locationsmart.com, according to Domaintools.com. -KrebsOnSecurity

***

Last week Sen. Ron Wyden (D-OR) sent a letter to the FCC demanding an investigation into Securus, after the New York Times revealed that former Mississippi County sheriff Cory Hutcheson used the service almost a dozen time to track the phones of other officers, and even targeted a judge

Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases. -NYT

Hutcheson has pleaded not guilty to charges of unlawful surveillance. 

How did this happen?

How is it that LocationSmart obtained real time location data on millions of Americans? Moreover, who else has access to that information?

Kevin Blankston, director of New America's Open Technology Institute told ZDNet in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It does not restrict carriers from disclosing information to other companies - a loophole Blankston calls "one of the biggest gaps in US privacy law.

"The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have "direct connections" to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. It's less accurate than using GPS, but cell tower data won't drain a phone battery and doesn't require a user to install an app. Verizon, one of many cell carriers that sells access to its vast amounts of customer location data, counts LocationSmart as a close partner. -ZD Net

LocationSmart boasts coverage of 85 percent of the country due to its relationships with major US carriers - including Virgin, Boost, MetroPCS and US Cellular, along with Canadian providers Rogers, Telus and Bell.

We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration," said a case study on the company's website.

"With these location sources, we are able to locate virtually any US based mobile devices," the company claimed. The precise location of a target can be returned in as little as 15 seconds, according to a different study.

ZDNet reached out to carriers for comments. What follows is their responses:

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data "only with customer consent or in response to a lawful request such as a validated court order from law enforcement."

The company's privacy policy, which governs customer consent, said third-parties may collect customers' personal data, "including location information."

Sprint said the company's relationship with Securus "does not include data sharing," and is limited "to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities."

When asked the same questions, Verizon spokesperson Rich Young provided a boilerplate response regarding Securus and would not comment further.

"We're still trying to verify their activities, but if this company is, in fact, doing this with our customers' data, we will take steps to stop it," he said.

AT&T spokesperson Jim Greer said in a statement: "We have a best practices approach to handling our customers' data. We are aware of the letter and will provide a response." Our questions were also not answered.

A spokesperson for T-Mobile did not respond by our deadline.

"It's important for us to close off that potential loophole and that can easily be done with one line of legislative language," said Bankston, "which would also have the benefit of making every other company careful about always getting consent before disclosing your data to anyone."

Senator Wyden has called on each carrier to stop sharing data with third parties - arguing that it "skirts wireless carriers' legal obligation to be the sole conduit by which the government may conduct surveillance of Americans' phone records."

Comments

RedBaron616 Automatic Choke Sat, 05/19/2018 - 07:11 Permalink

Simply disable GPS. Sure, if they really want your data, they can triangulate between towers, but that would only be used if the cops were looking for you. This kind of automated selling of data is catching the low-hanging fruit meaning phones with GPS enabled. I have had GPS disabled since I got a smart phone 3 years ago. Sure, it is a little inconvenient sometimes, but nothing I can't live with.

In reply to by Automatic Choke

Chief Joesph Fri, 05/18/2018 - 21:46 Permalink

Oh Sure, they do not "give-away" your information.  They sell it.  It's just a matter of "semantics".  Still, you are a commodity to sell, otherwise, they wouldn't be in the business. 

LetThemEatRand Fri, 05/18/2018 - 21:58 Permalink

Private companies don't need a warrant because they are ... private companies.  The Constitution does not apply.  Of course the private company's information can be subpoened by the government, because whatever right to privacy existed for the "subject" before, went away when the information was transmitted to a private third party.

 

Crawdaddy Fri, 05/18/2018 - 22:08 Permalink

What a happy accident! Oops we tracked your ass and built a life long behavioral profile that tells us each and every proclivity. Purely accidental we promise. Democracy!

 

Remember to thank your heroes!

VoteSmarts Fri, 05/18/2018 - 22:15 Permalink

Somewhat wryly amusing: Previous ASUS Zen cellphone Melted its micro-USB charger port and three cords connected as replacements in sequence before problem was ah, noticed. Prior to, the google -everything apps had been turned off, including Location Tracker which would Help me find the device if *misplaced; o, and help me find GPS-ID sites based on either current location or keyed-in destination. The ASUS mfr requires IEMI and/or SN to begin analysis of problem, much less a repair. Bah, said I; other mfrs of cell phones. So, replacement acquired and what do ya know, Location Tracker is available to help locate the device in case of misplacement.  I may have to look into smoke signals again in case -google apps built in a self-destruct mechanism for *failure to cooperate with the, er, over-looking [ah, features].

Ms No Fri, 05/18/2018 - 22:18 Permalink

As soon as I don't need navigation I am going back to my ancient and magnificent flip phone.  Verizon is the biggest POS company.  They are overcharging everybody like a mofo for data and data overcharges now.  I had a sweet contract that they didn't offer any more and some punk eunuch took me off of it when I called to ask a question and I have been fucked ever since.  I never gave them permission to do that.  The eunuch told me "Wow, we don't even offer that plan anymore."  I said "Don't touch it."  The dickless bastard screwed me. 

That's fine, I'm writing my phone bill and overage charges off this year then I am bouncing forever.  I haven't been screwed this bad since the old Sprint and Blockbuster late fees days.   I suppose the same bastards own majority shares of AT&T.  Maybe I'll get a drug dealer pre-paid phone.

Long story short, if you are getting a good deal on your spy apparatus do not call the phone company for anything. 

VoteSmarts Ms No Sat, 05/19/2018 - 07:56 Permalink

I've only second-hand experience with Verizon, but your post reminded me of a smilar situation with *my credit union: A presumably young rep exclaimed, O You've had that account a long time, and we don't offer it anymore! I had attempted to order more checks. The doofus mentality may be more dangerous than one can espy. [Look it up;-]

In reply to by Ms No

Utopia Planitia Sat, 05/19/2018 - 02:12 Permalink

This should serve as a warning for each and every piece of software that you use. Software programming standards are essentially nonexistent (despite what the industry will tell you).  I have worked in numerous software development shops, and this reflects the typical lackadaisical attitude of the entire chain of people involved - exec mgt, line mgt, team leads, programmers, product mgt, bus devl, even testing, etc.  On rare occasion somebody will ask a good question, and typically they are instantly hammered down with an excuse along the lines that "it is not your concern". If they bring it up a second time they are gone.

Probably the demo app was thrown together to run on a standalone machine not connected to the interweb.  And somebody (a typical ignoramus) decided to throw it out to the public without performing any due diligence.

Every piece of crap software you encounter is highly likely to enable this sort of abuse.  Don't forget, and stay vigilant.

buzzsaw99 Sat, 05/19/2018 - 08:21 Permalink

this is why congress is so afraid all the time.  they know everything about you.

It's what people know about themselves inside that makes 'em afraid.  [/high plains drifter]