Real-Time Mobile Phone Location Tracking: Questions MountAfter Securus Technologies Gets Hacked, LocationSmart Fixes Data-Exposing Flaw
LocationSmart, which tracks and sells the location of mobile phone users, says that it's fixed an application programming interface error on its website that could be used to track any user of a mobile device registered via a major U.S. cellular carrier.
News of the flaw in the Carlsbad, California-based firm's website was first reported Thursday by cybersecurity blogger Brian Krebs, who said that Robert Xiao, a security researcher at Carnegie Mellon University, had found that a demo on LocationSmart's website could be easily abused to reveal location data for U.S. mobile phones.
"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao, a Ph.D. candidate at CMU's Human-Computer Interaction Institute, told Krebs. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples' cell phone without their consent."
Xiao said that he verified with several friends' permission that he was able to use the service to track them, saying at various times he received results that varied from 100 yards away from their then-current location, up to 1.5 miles away.
LocationSmart has been in the news in recent days, since ZDNet reported that the company supplied data to Securus Technologies, which itself has been in the news after it was allegedly abused by a former Missouri sheriff to track judges and law enforcement agents.
Securus Technologies facilitates calls to prison inmates as well as monitoring of those calls for thousands of U.S. jails and prisons. But the company also offers mobile phone location tracking for every major U.S. wireless carrier, and reportedly obtains this data via LocationSmart.
LocationSmart Sees No Exploits
LocationSmart bills itself as a location-as-a-service provider. It offers both a service as well as an application programming interface, or API, designed to provide real-time information on the location of mobile devices.
"LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers," spokeswoman Brenda Schafer tells Information Security Media Group. "All disclosure of location data through LocationSmart's platform relies on consent first being received from the individual subscriber."
The flaw found by Xiao has been fixed, LocationSmart says.
"The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo, has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission," LocationSmart's Schafer tells ISMG.
"On that day, as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability," she says. "Based on Mr. Xiao's public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."
LocationSmart declined to comment on questions concerning its relationship with Securus.
But founder and CEO Mario Proietti told Krebs that his company is investigating the reports. "We don't give away data," Proietti told Krebs. "We make it available for legitimate and authorized purposes. It's based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we'll review all facts and look into them."
Questions concerning how U.S. firms access, sell and share location-tracking information for U.S. mobile phone users continue to mount.
On May 10, The New York Times reported that charges have been filed against Cory Hutcheson, the former sheriff in Missouri's Mississippi County, accusing him of using Securus at least 11 times to track a number of targets, including a judge and members of the State Highway Patrol. Hutcheson has pleaded not guilty. He was reportedly dismissed from his job as sheriff as a result of an unrelated matter.
Securus has said that all law enforcement users are supposed to upload a court order, warrant or affidavit justifying any request they have to track a mobile phone number.
Securus didn't immediately respond to a request for comment.
On May 8, Sen. Ron Wyden, D-Oregon, wrote to Ajit Pai, chairman of the Federal Communications Commission, requesting that he investigate how Securus obtains and offers real-time location tracking information for mobile phone subscribers to government users via a self-service portal, in exchange for nothing more than a "pinky promise" that they have a legal right to access the information.
Wyden wrote: "This practice skirts wires carriers' legal obligation to be the sole conduit by which the government conducts surveillance of Americans' phone records, and needlessly exposes millions of Americans to potential abuse and surveillance by the government."
Securus Reportedly Hacked
Since the Times report appeared, Securus appears to have been hacked. On Wednesday, Motherboard reported that a hacker breached systems at Securus and shared a spreadsheet named "police," filled with data allegedly stolen from Securus. The file "includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year," Motherboard reports.
Hashing a password refers to what is meant to be a one-way function, in which a user's actual password is converted into a unique fingerprint, which gets stored and can later be used to verify if a password that's been entered is valid, without storing the password itself. Hashes can also be salted, which means a unique number gets added to them, making them tougher to reverse engineer.
But Motherboard reports that Securus was using the MD5 algorithm to generate its hashes. Security experts have been warning for years that MD5 - as well as SHA - are unfit for this purpose.
"Salt or not salt, if you're using MD5 or any SHA variant ... then it's basically useless," Australian information security expert Troy Hunt told ISMG last year. "And when we say useless, we mean a large percentage will be cracked in a very short time." (See Following Disqus Breach, Expert Discloses More Old Breaches).
Supreme Court Weighs Location Data Privacy
Kevin Bankston, director of New America's Open Technology Institute, told ZDNet that while the Electronic Communications Privacy Act restricts how telecommunications companies can share data with the government, there are no prohibitions against sharing it with non-telco business partners, who may then opt to share the data with the government.
Bankston described that loophole to ZDNet as being "one of the biggest gaps in U.S. privacy law."
"The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said.
Digital rights group Electronic Frontier Foundation says the U.S. Supreme Court is expected to issue an opinion by the end of June on United States v. Carpenter that could address "whether the Fourth Amendment requires law enforcement to get a warrant to access cell phone location data."