Flaw in webpage demo could have allowed anyone to track cellphones on major U.S. providers
A company based in San Diego, LocationSmart of Carlsbad, collects real-time data on wireless mobile devices. A computer science student said in a report published today, that a flaw in the company's website could have revealed to anyone, the real-time location of any cellphone running on Verizon, AT&T, T-Mobile or Sprint. The information would have been accurate to within a few hundred yards.
If your first thought is, what purpose do companies like LocationSmart serve, they sell location data to companies that want/need to track their employees. Another part of the business sends text messages about sales and discounts offered by a particular store, to cellphone users who happen to be near, or inside that store. LocationSmart's website lists clients like AAA, FedEx, and Allstate.
If this story sounds familiar, it's because last week we told you about Securus Technologies, a company that was used by a small-town sheriff to track cellphones belonging to the State Highway Patrol between 2014 and 2017 without the use of a warrant. And there is a connection between the two stories; according to Sen. Ron Wyden (D-Ore.), Securus obtained its data from a company called 3Cinterative, which is a customer of LocationSmart.
This past Wednesday, Carnegie Mellon University computer science student Robert Xiao found the flaw in LocationSmart's website. According to Xiao, the bug "allowed anyone, anywhere in the world, to look up the location of a U.S. cellphone. I could punch in any 10-digit phone number, and I could get anyone's location." The site was supposed to allow consumers to test out LocationSmart's service by allowing them to type in their own cell number, and after giving consent via a call or text, see their location (again, within a few hundred yards).
Xiao discovered the flaw in LocationSmart's website in 15 minutes. The bug allowed him to bypass consent, which in theory would allow him to find the location of any phone using one of the four major wireless carriers in the states. And even scarier was his pronouncement that "It would not take anyone with sufficient technical knowledge much time to find this."
Verizon spokesman Rich Young said that Securus no longer has access to Verizon customers, and added that Verizon is scrutinizing its relationship with LocationSmart. AT&T and Sprint each said that they do not allow third party companies to track subscribers without a consent, a court order or a warrant.
Thanks to Xiao's discovery, LocationSmart took down the flawed page on its website Thursday. The site contained a statement which states that the vulnerability of the "consent mechanism" on its online demo has been resolved and was not exploited prior to May 16th. LocationSmart says that no customer information was obtained without permission and adds that the demo has been disabled. You can find the full statement below.