LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones

Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow.

phones
For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing.

Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location.

locationsmart demo

LocationSmart's since-removed trial page via Krebs on Security

The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada.

In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:

If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.

Upon discovering the vulnerability, Xiao immediately contacted the US-CERT to coordinate disclosure, and shared details with Brian Krebs, who published a story with further details on his blog Krebs on Security.

Xiao told Krebs that he was able to obtain the approximate longitude and latitude of five different people who agreed to be tracked, coming within 100 yards and 1.5 miles of their then-current locations, all in a matter of seconds. LocationSmart plotted the coordinates on a Google Street View map.

"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao said. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent."

Xiao said his tests showed he could reliably query LocationSmart's service to ping the cell phone tower closest to a subscriber's mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend's mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.

It's not clear exactly how long LocationSmart has offered its trial service or how long it has been vulnerable. Krebs linked to an archived version of the website that suggests it dates back to at least January 2017.

When reached for comment via phone, LocationSmart's founder and CEO Mario Proietti told Krebs that the company was investigating.

"We don't give away data," Proietti said. "We make it available for legitimate and authorized purposes. It's based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them."

A spokesperson for AT&T told Krebs that the carrier "does not permit the sharing of location information without customer consent or a demand from law enforcement," while Verizon, Sprint, and T-Mobile all pointed towards their privacy policies.

LocationSmart was already in the news prior to this relevation. The New York Times last week reported that Cory Hutcheson, a former Missouri sheriff, was charged with using a private service called Securus, which obtained data from LocationSmart, to track people's phones without court orders.

Those headlines are what prompted Xiao to poke around LocationSmart's website and ultimately discover this vulnerability. However, while the page has been taken down, it's unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.

More Coverage: A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations by ZDNet's Zack Whittaker

Update: The FCC's Enforcement Bureau has confirmed it will investigate LocationSmart, according to CNET.

Top Rated Comments

slimtastic Avatar
37 months ago
How on earth is this company gathering location data on everyone from each carrier? The carriers are really sharing this info with third-parties? Or am I missing something here? I was under the impression this was illegal.
Score: 12 Votes (Like | Disagree)
coolfactor Avatar
37 months ago
As a web software engineer, I'm always watchful for how requests to a server could be abused, and take a security-first approach. My software has multiple layers of checks and balances before a request for a resource is satisfied.

This company hired the wrong developer.
[doublepost=1526665215][/doublepost]
So to get this clear, its not a bug in the iPhone, but in a 3rd parties 3rd party service ?
That's correct.
Score: 12 Votes (Like | Disagree)
WannaGoMac Avatar
37 months ago
How are carriers allowed to just give my real time location to a 3rd party? Where can I remove my consent??
Score: 10 Votes (Like | Disagree)
Tech198 Avatar
37 months ago
There's a company like this..??
Score: 10 Votes (Like | Disagree)
Martin Bland Avatar
37 months ago
The question everyone should be asking is why do carriers think it is ok to sell customer location data. Where is the carrier contract fine print that allows this?

One more reason I would switch to an Apple mobile service. In a heartbeat.
Score: 9 Votes (Like | Disagree)
m4mario Avatar
37 months ago
What non sense? How can carriers share my location data? Or even think its ok to track it for themselves.
Score: 5 Votes (Like | Disagree)

Top Stories

microsoft edge ios android

Bill Gates Says His Preference for Android Over iPhone is Due to Pre-Installed Software

Friday February 26, 2021 3:35 am PST by
Microsoft co-founder Bill Gates this week participated in his first meeting on Clubhouse, the increasingly popular invite-only conversation app, where he fielded a range of questions as part of an ongoing book tour. Gates was interviewed by journalist Andrew Ross Sorkin, and given that the Clubhouse app is currently only available on iOS, naturally one of the questions that came up was...
Top Stories 47 Feature copy

Top Stories: MacBook Pro, iMac, and AirPods Rumors, macOS 11.2.2, MagSafe Wallet Revisited

Saturday February 27, 2021 6:00 am PST by
March is right around the corner, and that means our first good opportunity for Apple product launches in 2021 as the company frequently has significant launches in March or April each year. We're hearing rumors about MacBook Pro, iMac, AirPods, and more, although many of these will be coming out at different times over the course of the year. This week also saw a macOS update to address a ...
iphone 6 in hand

Apple Faces Another iPhone Lawsuit Over 'Programmed Obsolescence'

Monday March 1, 2021 6:44 am PST by
Apple faces a new class-action lawsuit that accuses it of deliberately releasing iOS updates that slowly reduce the performance of an iPhone, forcing customers to upgrade their devices. The lawsuit comes from the Portuguese Consumer Protection Agency, Deco Proteste (via Marketeer), which in a statement says that it will proceed with a case against the Cupertino tech giant because it...
maxresdefault

HomeKit Essentials Worth Checking Out

Saturday February 27, 2021 7:05 am PST by
HomeKit was slow to take off after its 2014 launch, but now that it's been around for seven years, there are hundreds of HomeKit products available, ranging from doorbells and speakers to TVs, lights, and cameras. In our latest YouTube video, we rounded up some of our favorite HomeKit products that we find most useful. Subscribe to the MacRumors YouTube channel for more videos. HomePod...
First Look Big Sur Feature2

Apple Releases macOS Big Sur 11.2.2 to Prevent MacBooks From Being Damaged by Third-Party Non-Compliant Docks

Thursday February 25, 2021 10:07 am PST by
Apple today released macOS Big Sur 11.2.2, the fourth update to the macOS Big Sur operating system that launched in November. macOS Big Sur 11.2.2 comes two weeks after the release of macOS Big Sur 11.2.1, a bug fix update. The new ‌‌‌‌macOS Big Sur‌‌‌ 11.2.2‌ update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences....
iphone 12 pro display video

iPhone 13 to Include 1TB Storage Option and LiDAR Across the Board, Says Wedbush Analyst

Monday March 1, 2021 4:00 am PST by
Apple's forthcoming iPhone 13 could include a 1TB storage option for some models and LiDAR Scanners across the entire lineup, according to a report from Wedbush analysts. In a new note to investors, seen by MacRumors, Wedbush analyst Daniel Ives said that initial Asian supply chain checks gave the firm "increased confidence" that Apple's 5G-driven product cycle would extend well into 2022,...
flat mbp 14 inch feature yellow

Redesigned 14-Inch MacBook Pro Expected to Feature Brighter Mini-LED Display With Slimmer Bezels and More

Thursday February 25, 2021 7:48 am PST by
Apple plans to unveil new 14-inch and 16-inch MacBook Pro models with Mini-LED-backlit displays in the second half of this year, according to industry sources cited by Taiwanese supply chain publication DigiTimes. The report claims that Radiant Opto-Electronics will be the exclusive supplier of the Mini-LED backlight units, while Quanta Computer is said to be tasked with final assembly of the...
mac mini developer transition kit photo feature

Apple Requiring Developers to Return DTK Mac Minis by March 31

Friday February 26, 2021 3:57 pm PST by
Apple today sent out emails to developers who are in possession of a Developer Transition Kit, asking them to return the machines by March 31. The Developer Transition Kits are Mac minis with A12Z chips that Apple provided for development purposes ahead of the release of the M1 Macs. Apple in the emails provided developers with shipping instructions, and plans to begin collecting the DTKs...
iphone 12 120hz thumbnail feature

Kuo: iPhone 13 Lineup to Feature Smaller Notch and Larger Batteries, 120Hz Display for Pro Models, and More

Monday March 1, 2021 7:50 am PST by
iPhone 13 models will all feature a smaller notch, while the two Pro models will be equipped with low-power LTPO display technology for a 120Hz refresh rate, analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. Several other sources have previously claimed that some iPhone 13 models will support a 120Hz refresh rate, including display industry analyst Ross Young, leakers ...
unc0ver version 6 release

Jailbreak Tool 'unc0ver' 6.0.0 Released With iOS 14.3 Compatibility

Sunday February 28, 2021 9:26 am PST by
The team behind the "unc0ver" jailbreaking tool for iOS has released version 6.0.0 of its software, which can allegedly be used to jailbreak any device running iOS 11.0 through iOS 14.3 using a kernel vulnerability. The unc0ver website describes how the tool has been extensively tested across a range of iOS devices running various software versions, including an iPhone 12 Pro Max running iOS ...