The Story That Won’t Quit Expanding – LocationSmart Leaks Data in Securus Fiasco
If you missed our previous post in the developing Locationgate story, here’s a quick recap. All major US and Canada cell carriers sell customer location data to third-party aggregators such as LocationSmart. They do this so they don’t have to manage requests for location info from people like marketers who want to know where you are in order to serve you up ads. LocationSmart happens to provide that data to a shady company called Securus, who provides incredibly expensive phone services for inmates. In doing that, Securus pays off people so they can be exclusive. Using their connections they also provide law enforcement and government with location services for any person using a mobile service. Laws prevent law enforcement from getting that data from the carriers without a warrant, but this isn’t technically coming from the carrier. A very corrupt sheriff is involved in dozens of lawsuits including this behavior, and a very irate senator is calling for action from the FCC against this and from the carriers to stop it. As if that wasn’t enough, a hacker breached Securus and got access to the service and a list of accounts. Securus, despite what their name implies, has little to no security around such sensitive data. LocationSmart, other than the fact they acted as a middleman was largely left clear of the dumpster fire. Until now.
LocationSmart Also Lacks Basic Security
LocationSmart, in an effort to show off their technology to attract customers, offered a demo of the service. Access to the demo was publicly available and did not require any sort of authentication. They did not require email verification or anything. Just pull up the web application and go for a drive. Granted, it was supposed to be for the demo user to look themselves up, not anyone, but lax security leads to troubles.
The demo worked by asking you to enter the name, email, and phone number of the target. It then sent a text to the number to request permission to ping the phone. Once permission was granted, it gave the demo
Enter Robert Xiao, a security researcher at Carnegie Mellon. According to Xiao, the site didn’t perform basic checks to prevent abuse. In fact, anyone with a basic understanding of how websites work could perform lookups at will, without requiring the consent from the target. Xiao tried this with several friends, including one in Canada, who allowed him to conduct the experiment. None of them received a text from LocationSmart requesting permission, all of them had their locations tracked by Xiao with reasonable accuracy. Some within 100 yards, some within a mile.
The service has been brought down by LocationSmart who says they take privacy seriously and are investigating. They further clarify that this service is for legit purposes only. The problem is, how do they define legit purposes and how do they verify the customer using their service isn’t going to do nefarious things with that access, like Securus who did not need to get permission from the target before selling their location to the government.
Flame on dumpster fire, flame on.