Last week, the New York Times revealed that an obscure company called Securus was providing realtime location tracking to law enforcement, without checking the supposed “warrants” provided by cops, and that their system had been abused by a crooked sheriff to track his targets, including a judge (days later, a hacker showed that Securus’s security was terrible, and their service would be trivial to hack and abuse).
At the time, it was hard to understand how Securus was able to access location data from the carriers. Now we know.
Securus is a customer of a “marketing company” called Locationsmart that has contracts with the four largest US cellular carriers that allow it to pinpoint the location of any cellular phone in the USA or Canada, usually within seconds.
Locationsmart exploits a loophole in federal privacy law, which requires government agencies (including police forces) to get a warrant in order to retrieve location data from mobile carriers. The loophole, though, allows mobile carriers to sell this data to marketing companies like Locationsmart, who can sell that data to anyone they like — including the government entities who would need a warrant to get the same data from the carriers.
Locationsmart’s website included a demonstration service that allowed you to try out their location tracking for free: you entered a cellphone number, it texted a query to that number asking for permission to provide the phone’s location, and, if permission was given, it showed the web-user the phone’s location. The idea was that you could use it with your own phone number to see how the service worked.
But a Carnegie Mellon security researcher named Robert Xiao looked more closely and discovered that it was trivial to bypass the authentication/permission step in the demonstrator, allowing anyone in the world to track, in realtime, the location of anyone in the USA or Canada with nothing more than a phone number (Locationsmart took down the demo portal when they were contacted by security journalist Brian Krebs).
If you do business with the big four carriers — Verizon, Sprint, T-Mobile and AT&T — you “agreed” to let them sell this incredibly sensitive data to muppets like Locationsmart when you signed up for the service.
But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site [Brian Krebs/Krebs on Security]