What is worse than the companies that sell real-time cell phone wholesale locations? Do not take safety precautions that prevent people from abusing the service. LocationSmart did both, as numerous sources indicated this week.
The company is next to a Securus hack, a company in the lucrative business of communicating with inmates; LocationSmart was the partner that allowed the first to provide mobile device locations in real time to law enforcement and others. There are perfectly good reasons and methods to establish the customer's location, but this is not one of them.
It is assumed that the police, the FBI and the like should go directly to the carriers to obtain this type of information. But paperwork is a nuisance! If the operators allow LocationSmart, a separate company, access that data, and LocationSmart sell it to someone else (Securus), and have someone else sell it to the police, much less paperwork is required! That's what Securus told Senator Ron Wyden (D-OR): act as an intermediary between the government and operators, with the help of LocationSmart.
The LocationSmart service seems to locate the phones through which the towers have recently been connected, giving a location in a matter of seconds to just a few hundred feet. To prove that the service worked, the company (until recently) provided a free trial version of its service where a potential customer could enter a phone number and, once that number answered yes to a text of consent, the Location would be returned.
It worked pretty well, but now it's offline. Because of their enthusiasm to demonstrate the ability to locate a particular phone, the company seemed to forget to secure the API by which it did, reports Brian Krebs.
Krebs listened to CMU security researcher Robert Xiao, who discovered that LocationSmart "No basic checks were made to avoid anonymous and unauthorized inquiries". And not through hard hackers, just poking around.
"I came across this almost by accident, and it was not terribly difficult to do, this is something that anyone could discover with minimal effort," he told Krebs. Xiao published the technical details here.
They verified that the API back door worked by testing it with some known parts, and when they informed LocationSmart, the CEO of the company said they would investigate.
This is a sufficient problem by itself. But it also questions what wireless carriers say about their own location sharing policies. When Krebs contacted the four major US operators UU., All said that all require the consent of the client or the requests of the law.
There are three options I can think of:
- LocationSmart has a way to find location through towers that do not require the authorization of the operators in question. This seems unlikely for technical and commercial reasons; The company also included operators and other companies on its home page as partners, although its logos were removed since then.
- LocationSmart has a kind of basic key for operator information; You can assume that your requests are legitimate because they have law enforcement or similar clients. This is more likely, but also contradicts the requirement of carriers that they require consent or some kind of justification to enforce the law.
- Carriers do not actually verify case by case if a request has consent; they can impose that duty on those who make the requests, such as LocationSmart (who requests consent in the official demonstration). But if the carriers do not ask for consent and the third parties do not, and neither of them keeps the other responsible, the consent requirement can not exist either.
None of these is particularly encouraging. But nobody expected something good to come from a poorly secured API that allows anyone to request the approximate location of someone's phone. I asked LocationSmart to comment on how the problem was possible (and also Krebs for some additional data that could shed light on this).
It is worth mentioning that LocationSmart is not the only business that does this, only the one involved today in this security flaw and in the dark practices of Securus.