Apple's colorful mainstream flagship, starting at $749.
LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones
Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow.
For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing.
Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location.
LocationSmart's since-removed trial page via Krebs on Security
The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada.
In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:
Xiao told Krebs that he was able to obtain the approximate longitude and latitude of five different people who agreed to be tracked, coming within 100 yards and 1.5 miles of their then-current locations, all in a matter of seconds. LocationSmart plotted the coordinates on a Google Street View map.
When reached for comment via phone, LocationSmart's founder and CEO Mario Proietti told Krebs that the company was investigating.
LocationSmart was already in the news prior to this relevation. The New York Times last week reported that Cory Hutcheson, a former Missouri sheriff, was charged with using a private service called Securus, which obtained data from LocationSmart, to track people's phones without court orders.
Those headlines are what prompted Xiao to poke around LocationSmart's website and ultimately discover this vulnerability. However, while the page has been taken down, it's unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.
More Coverage: A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations by ZDNet's Zack Whittaker
Update: The FCC's Enforcement Bureau has confirmed it will investigate LocationSmart, according to CNET.
For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing.
Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location.
The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada.
In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:
If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.Upon discovering the vulnerability, Xiao immediately contacted the US-CERT to coordinate disclosure, and shared details with Brian Krebs, who published a story with further details on his blog Krebs on Security.
Xiao told Krebs that he was able to obtain the approximate longitude and latitude of five different people who agreed to be tracked, coming within 100 yards and 1.5 miles of their then-current locations, all in a matter of seconds. LocationSmart plotted the coordinates on a Google Street View map.
"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao said. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent."It's not clear exactly how long LocationSmart has offered its trial service or how long it has been vulnerable. Krebs linked to an archived version of the website that suggests it dates back to at least January 2017.
Xiao said his tests showed he could reliably query LocationSmart's service to ping the cell phone tower closest to a subscriber's mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend's mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.
When reached for comment via phone, LocationSmart's founder and CEO Mario Proietti told Krebs that the company was investigating.
"We don't give away data," Proietti said. "We make it available for legitimate and authorized purposes. It's based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them."A spokesperson for AT&T told Krebs that the carrier "does not permit the sharing of location information without customer consent or a demand from law enforcement," while Verizon, Sprint, and T-Mobile all pointed towards their privacy policies.
LocationSmart was already in the news prior to this relevation. The New York Times last week reported that Cory Hutcheson, a former Missouri sheriff, was charged with using a private service called Securus, which obtained data from LocationSmart, to track people's phones without court orders.
Those headlines are what prompted Xiao to poke around LocationSmart's website and ultimately discover this vulnerability. However, while the page has been taken down, it's unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.
More Coverage: A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations by ZDNet's Zack Whittaker
Update: The FCC's Enforcement Bureau has confirmed it will investigate LocationSmart, according to CNET.
Tag: security
[ 73 comments ]
Top Rated Comments
(View all)
22 weeks ago
How on earth is this company gathering location data on everyone from each carrier? The carriers are really sharing this info with third-parties? Or am I missing something here? I was under the impression this was illegal.
22 weeks ago
As a web software engineer, I'm always watchful for how requests to a server could be abused, and take a security-first approach. My software has multiple layers of checks and balances before a request for a resource is satisfied.
This company hired the wrong developer.
[doublepost=1526665215][/doublepost]
That's correct.
This company hired the wrong developer.
[doublepost=1526665215][/doublepost]
So to get this clear, its not a bug in the iPhone, but in a 3rd parties 3rd party service ?
That's correct.
22 weeks ago
How are carriers allowed to just give my real time location to a 3rd party? Where can I remove my consent??
22 weeks ago
The question everyone should be asking is why do carriers think it is ok to sell customer location data. Where is the carrier contract fine print that allows this?
One more reason I would switch to an Apple mobile service. In a heartbeat.
One more reason I would switch to an Apple mobile service. In a heartbeat.
22 weeks ago
What non sense? How can carriers share my location data? Or even think its ok to track it for themselves.
22 weeks ago
Seems like if you take my location (or my height, hair colour or pizza preference) and tie it in a 1:1 relationship with my cell phone number you've created a direct association with me, an individual. Isn't that why Apple makes such a stink all the time about anonymized, hashed device IDs when they talk Siri queries? Maybe I've misunderstood?
that does not, on its own, permit direct associationI think you have misunderstood. Well, more so conflated than misunderstood. Look at it this way.
Apple collects data about you. Data they classify as personal and non-personal. Location data along with a ton of other data points, is classified as non-personal. Apple tells you they can do whatever they want with that data, including sharing it. On its own, one of those data points may not be able to permit direct association. Collectively, and with other data... say I provide a telephone number to go with that Apple data and LocationSmart adds that to data they've collected from other sources...
Apple's privacy policy covers Apple. It doesn't cover 3rd party Apple partners. A lot of us assumes it does. That same privacy policy tells us it doesn't, but we (collectively) don't read it and assume phrases like "We don't sell your data" and "You are not the product" mean something they don't.
Apple making a stink (just borrowing your phrase) about privacy related to Siri queries can't be conflated with Apple's policies regarding other parts of their operation. Apple hashing device ID's on Siri queries doesn't negate what their privacy policy says they can do with data.
22 weeks ago
PSA: There seems to be a lot of people in this thread who are astounded and horrified their location data is being shared. Apparently, without their consent. Fear not, it isn't without your consent. You've given your consent AND the location data isn't considered personal data. All phone makers, from Apple to Google to Samsung and everyone else tell you specifically and explicitly that your location data is not your personal data. I only briefly checked Sprint, but I'd bet all my money the other carriers consider location data non-personal as well.
As an example here is Apple's version (emphasis mine):
We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
* We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
Google's version? Basically the same. Samsung? Ditto Microsoft? Yerp.
tl;dr We give them the right to do what they do.
As an example here is Apple's version (emphasis mine):
We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
* We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
Google's version? Basically the same. Samsung? Ditto Microsoft? Yerp.
tl;dr We give them the right to do what they do.
22 weeks ago
So to get this clear, its not a bug in the iPhone, but in a 3rd parties 3rd party service ?
22 weeks ago
You would probably need to dissolve yourself from your carrier.
[doublepost=1526670250][/doublepost]
Use a good VPN service.
VPN service wont stop the cell tower based tracking.
[ Read All Comments ]
Apple today sent out emails highlighting its latest Apple Pay promotion, which offers Apple Pay users a $25 coupon after they spend $100 at Oakley.com.
To get the reward, users must make...
Payments company Square today announced the launch of a new point-of-sale hardware device called "Terminal," which combines NFC, credit/debit card swiping, and chip-based payments all in one...
The newest version of the popular Tweetbot Twitter app for iOS devices launched this morning, introducing a revamped look for the app along with several new features.
Tweetbot 5's new look...
Startup Beddr today launched the "SleepTuner," the first FDA-registered consumer sleep wearable that helps to assess and improve sleep quality. SleepTuner is a small accessory (about the size...
In iOS 12, Apple added several new ways for users to control how and when they receive app notifications, including the ability to group notifications and change their behavior on the fly with...
Popular image editing app Pixelmator Pro was today updated to version 1.2, which adds full support for macOS Mojave, a new light mode, faster machine learning tools, and more.
The update...
Spotify has announced a major update to its mobile apps for users with a Premium subscription to the service, including an overhauled radio feature and changes to the onscreen navigation controls and...
Mophie today announced the launch of the new Powerstation USB-C 3XL, which has been designed to charge Apple's line of MacBook devices.
The fabric-covered Powerstation USB-C 3XL includes a...
