LocationSmart Vulnerability Allowed Millions Of U.S. Carrier Customers To Be Tracked Without Consent
There are all kinds of ways that information about us can be leaked or stolen, and unfortunately, that is seemingly proven on a daily basis.
Of all the bits of information that can go missing, our location data is perhaps the most worrying. According to Robert Xiao, a computer science student at Carnegie Mellon, a vulnerability in LocationSmart’s website has made the real-time location of million of phones available to anyone who knows how to access it. That’s bad news indeed.
If you’re unfamiliar with the name LocationSmart, that’s no real surprise. That doesn’t mean it’s a small time company, though, and it’s used by major phone carriers to collect location data from their users. Those include Sprint, Verizon, AT&T, and T-Mobile in the United States with that data then being sold to other companies for all manner of uses including for so-called cybersecurity. None of that matters when the data can be accessed by people who shouldn’t have access to it in the first place, though, and that’s exactly what is going on here.
The issue, according to Xiao, is that the website has a bug that enables anyone with the required knowledge to bypass the phone number verification process, giving them free reign and unfettered access to the real-time location of users across multiple carriers in both the United States and Canada.
If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.
Once the flaw was spotted, Xiao made it available to both the US-CERT and Brian Krebs who subsequently covered it on his blog, Krebs on Security. Here, Xiao explained how he was able to use the flaw to find the approximate longitude and latitude of multiple people who agreed to be tracked, to within 100 yards and 1.5 miles of their then-current locations. That, if nothing else, is terrifying.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
The impacted web page is currently offline, although it’s unclear whether it will return and if so, whether the issue will have been sufficiently fixed before anything malicious can come of it.