LocationSmart is a location-tracking services company that seems to have deals in place with all the major U.S. and Canadian carriers to share people’s locations based on cell tower triangulation with both private companies and law enforcement. The company’s service has turned controversial lately now that more people have discovered how its services could be abused by both hackers and law enforcement.
The most recent issue is about a vulnerability in LocationSmart's demo API, which could have exposed anyone's real-time location to hackers. However, even without this vulnerability, any LocationSmart customer would still be able to gain access to the same type of information.
Carriers Are Sharing Your Location Data With Others
Although the story revolves around LocationSmart, the real story here is that carriers have been sharing your real-time location data with basically anyone that asks for it. LocationSmart just happens to be one of the more prominent clients that has also gotten some recent media attention.
This sort of sharing wouldn’t be permissible under the General Data Protection Regulation (GDPR), which will go into effect at the end of this month. It’s also not clear whether or not Senator Ed Markey’s “Consent Act” would put an end to this type of practice, as it specifically targets “edge providers.”
As a web service, LocationSmart may fall under that category, but on the other hand, unless the law is clear, the company could also claim that it works with carrier data at the network level, so it could also be exempt from the Consent Act as it is currently written.
LocationSmart’s Data Leak
Security researcher Robert Xiao, from Carnegie Mellon University, identified a vulnerability in LocationSmart’s service on May 16. This bug resulted from the fact that the company has been offering a test API for potential enterprise customers and showing them how they could approximate someone’s location based on cell tower data.
However, Xiao, and later Brian Krebs, discovered that anyone could have abused the service to locate nearly any U.S. phone. According to Xiao, the bug took minutes to exploit because it failed to perform basic checks to prevent anonymous and unauthorized queries.
Xiao told Krebs:
I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.
LocationSmart And Securus Technologies
Last week, the New York Times published a report on Securus Technologies, another location-tracking service, which has been giving law enforcement access to anyone’s location, without any court order or warrant.
Earlier this week, there was another report saying that Securus has been using LocationSmart’s data. Just a day later, a hacker was able to break into LocationSmart’s servers and steal 2,800 usernames, email addresses, phone numbers, and hashed passwords of authorized Securus users. Most of the stolen credentials belonged to law enforcement officers. Hours earlier, Xiao had contacted US CERT and Krebs about the bug he found in LocationSmart’s services.
You Can’t Opt Out
Because the LocationSmart service is carrier-based, your phone’s operating system or privacy settings are irrelevant, and you also don’t have any ability to opt out of the service.
Stephanie Lacambra, a staff attorney with the EFF, said:
This is precisely why we have lobbied so hard for robust privacy protections for location information. It really should be only that law enforcement is required to get a warrant for this stuff, and that’s the rule we’ve been trying to push for.
Senator Wyden added that:
The location aggregation industry has operated with essentially no oversight by the Federal Communications Commission. The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans’ privacy and safety. I’m pleased the FCC is opening an investigation into the reported data leak by LocationSmart.
The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk. I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans.
Xiao also warned that more wireless customer location leaks such as the ones happening to LocationSmart and Securus are inevitable, as long as the carriers continue to give third parties direct access to their customers’ real-time location information.