LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones

Discussion in 'MacRumors.com News Discussion' started by MacRumors, May 18, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow.

    [​IMG]

    For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing.

    Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location.

    [​IMG]
    LocationSmart's since-removed trial page via Krebs on Security

    The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada.

    In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:
    Upon discovering the vulnerability, Xiao immediately contacted the US-CERT to coordinate disclosure, and shared details with Brian Krebs, who published a story with further details on his blog Krebs on Security.

    Xiao told Krebs that he was able to obtain the approximate longitude and latitude of five different people who agreed to be tracked, coming within 100 yards and 1.5 miles of their then-current locations, all in a matter of seconds. LocationSmart plotted the coordinates on a Google Street View map.
    It's not clear exactly how long LocationSmart has offered its trial service or how long it has been vulnerable. Krebs linked to an archived version of the website that suggests it dates back to at least January 2017.

    When reached for comment via phone, LocationSmart's founder and CEO Mario Proietti told Krebs that the company was investigating.
    A spokesperson for AT&T told Krebs that the carrier "does not permit the sharing of location information without customer consent or a demand from law enforcement," while Verizon, Sprint, and T-Mobile all pointed towards their privacy policies.

    LocationSmart was already in the news prior to this relevation. The New York Times last week reported that Cory Hutcheson, a former Missouri sheriff, was charged with using a private service called Securus, which obtained data from LocationSmart, to track people's phones without court orders.

    Those headlines are what prompted Xiao to poke around LocationSmart's website and ultimately discover this vulnerability. However, while the page has been taken down, it's unclear what steps will be taken next if any. At least one U.S. senator has urged the FCC to enforce stricter privacy laws on carriers.

    More Coverage: A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations by ZDNet's Zack Whittaker

    Update: The FCC's Enforcement Bureau has confirmed it will investigate LocationSmart, according to CNET.

    Article Link: LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones
     
  2. Tech198 macrumors G5

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
  3. applepuree macrumors 6502

    applepuree

    Joined:
    Aug 15, 2014
    #3
    So to get this clear, its not a bug in the iPhone, but in a 3rd parties 3rd party service ?
     
  4. coolfactor macrumors 68040

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #4
    As a web software engineer, I'm always watchful for how requests to a server could be abused, and take a security-first approach. My software has multiple layers of checks and balances before a request for a resource is satisfied.

    This company hired the wrong developer.
    --- Post Merged, May 18, 2018 ---
    That's correct.
     
  5. jarred125 macrumors 6502a

    Joined:
    Nov 8, 2011
    #5
    Yeah they hired the wrong dev, guaranteed it will be him/her only thrown under the proverbial bus.
     
  6. coolfactor macrumors 68040

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #6
    In older versions of iOS, I seem to recall being able to watch a friend's location (via Location Sharing) in near-real-time update immediately as they moved.

    Now, in iOS 10+, it seems to only refresh every 15 minutes.

    I bet that was a change made by Apple for privacy reasons. I find it annoying.
     
  7. Wags macrumors 6502a

    Joined:
    Mar 5, 2006
    Location:
    Nebraska, USA
    #7
    So once you agree to be tracked. You can. Problem is unwillingly or even knowing you gave your authorization.
     
  8. snowboarder macrumors 6502

    Joined:
    Jun 9, 2007
    #8
    Before you start talking AI and other scifi stuff, fix some basic things please.
     
  9. manu chao macrumors 603

    Joined:
    Jul 30, 2003
    #9
    I know I should read more about this, but my quick guess is that every carrier has to know the approximate location (ie, cell tower) of every phone connected to their network. And if you then aggregate the information from multiple carriers that is what you get.
     
  10. cmaier macrumors G4

    Joined:
    Jul 25, 2007
    Location:
    California
    #10
    Yes. You can easily get their website to bypass its permissions check to track your phone via the phone companies. Not the fault of the phones at all.
     
  11. m4mario macrumors member

    m4mario

    Joined:
    May 10, 2017
    Location:
    San Francisco Bay Area
    #11
    What non sense? How can carriers share my location data? Or even think its ok to track it for themselves.
     
  12. eiuro macrumors member

    eiuro

    Joined:
    Feb 28, 2013
    #12
    This sounds more like a backdoor rather than a bug. Location data on millions of Americans? Didn't we see this in enemy of the state?
     
  13. slimtastic Suspended

    slimtastic

    Joined:
    May 17, 2018
    Location:
    Your Mother's Bedroom
    #13
    How on earth is this company gathering location data on everyone from each carrier? The carriers are really sharing this info with third-parties? Or am I missing something here? I was under the impression this was illegal.
     
  14. WannaGoMac, May 18, 2018
    Last edited: May 18, 2018

    WannaGoMac macrumors 68000

    Joined:
    Feb 11, 2007
    #14
    How are carriers allowed to just give my real time location to a 3rd party? Where can I remove my consent??
     
  15. cmwade77 macrumors 6502a

    Joined:
    Nov 18, 2008
    #15
    Well, the carriers do need to track location data to be able to track where cell coverage has issues. But this should be able to be done anonymously.
     
  16. slimtastic Suspended

    slimtastic

    Joined:
    May 17, 2018
    Location:
    Your Mother's Bedroom
    #16
    This is what I'm wondering as well. From what it appears, it seems that this is from the cell carriers. Though I don't know for sure.
     
  17. Martin Bland macrumors newbie

    Joined:
    Jun 9, 2014
    #17
    The question everyone should be asking is why do carriers think it is ok to sell customer location data. Where is the carrier contract fine print that allows this?

    One more reason I would switch to an Apple mobile service. In a heartbeat.
     
  18. coumerelli macrumors 6502

    Joined:
    Apr 7, 2003
    Location:
    state of confusion.
    #18
    Federal 911 regulations require this at the very least. There are certainly other reasons why tracking would need to be in place. But to subcontract this out to a third party is a problem.
     
  19. justperry macrumors G3

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #19
    Simple solution, just don't use a mobile phone.;)
    Even non smart phones can be tracked.
     
  20. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #20
    You would probably need to dissolve yourself from your carrier.
    --- Post Merged, May 18, 2018 ---
    Use a good VPN service.
     
  21. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #21
    Security, Privacy, Mobility.

    These three things will never go together. How hard Apple tries.
     
  22. EvilEvil macrumors 6502a

    EvilEvil

    Joined:
    Jan 8, 2007
    Location:
    New York City
  23. Sasparilla macrumors 6502a

    Joined:
    Jul 6, 2012
    #23
    So this company is in the business of tracking the location of every cell phone user in the U.S., in real time, and offering that information for sale? What could possibly go wrong with this?

    So dissapointing that every cell carrier just goes along with this. So disappointing this is even allowed.

    We need a law that no company can sell or give away their user's private data to a 3rd party without a specific opt in for that particular sale by the user and with no affect on service if they do not choose to do so.
     
  24. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
  25. 69Mustang macrumors 603

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #25
    PSA: There seems to be a lot of people in this thread who are astounded and horrified their location data is being shared. Apparently, without their consent. Fear not, it isn't without your consent. You've given your consent AND the location data isn't considered personal data. All phone makers, from Apple to Google to Samsung and everyone else tell you specifically and explicitly that your location data is not your personal data. I only briefly checked Sprint, but I'd bet all my money the other carriers consider location data non-personal as well.

    As an example here is Apple's version (emphasis mine):
    We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

    • We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
    Google's version? Basically the same. Samsung? Ditto Microsoft? Yerp.

    tl;dr We give them the right to do what they do.
     

Share This Page