LocationSmart security flaw leaked real-time location data of U.S. cellphone owners

LocationSmart logo

There have been some major location data-related security issues that’ve cropped up this week.

A company called LocationSmart had a bug in its website that would allow anyone to track the real-time location of any cellphone. LocationSmart offered a free demo that’d let anyone see the location of a device by sharing their name, email address, and phone number. The company would then text that number for permission to ping the nearest cellphone tower and return the longitude and latitude of the device.

However, a bug discovered by security researcher Robert Xiao found that the site did not perform checks to block anonymous searches on the site. Xiao’s tests found that he could use LocationSmart’s service to locate any device, with the owner of one phone reporting that the coordinates LocationSmart gave for them was within 100 yards of their actual location.

LocationSmart location tracker data demo

LocationSmart was made aware of this security flaw and pulled the demo from its site. CEO Mario Prioetti told KrebsOnSecurity that his company offers this location date for “legitimate and authorized purposes” and that it “take[s] privacy seriously” and will be looking into the issue.

The LocationSmart website shows the logos of all four major U.S. carriers as well as U.S. Cellular and Google. When asked about this issue, T-Mobile, Verizon, and Sprint all referred to their privacy policy, and AT&T said that it doesn’t permit the sharing of location info without customer consent or order from law enforcement, adding that it will take “appropriate action” against vendors that don’t comply to this policy.

The FCC said today that it plans to investigate the LocationSmart website flaw.

Earlier this week, it was reported that a former sheriff of Mississippi County, Mo., was using a service called Securus to track people’s phones without court orders. Securus is normally used to provide and monitor calls to prison inmates, and it gets its location data from LocationSmart.

LocationSmart is meant to provide location data to companies for things like tracking employees and mobile advertising. However, this week has shown that our location data may not be as secure as some people think, and Xiao thinks that more data leaks like this could very well happen in the future. “We’re going to continue to see breaches like this happen until access to this data can be much more tightly controlled,” he told KrebsOnSecurity.

LocationSmart security flaw leaked real-time location data of U.S. cellphone owners originally posted at http://phonedog.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s