There have been some major location data-related security issues that’ve cropped up this week.
A company called LocationSmart had a bug in its website that would allow anyone to track the real-time location of any cellphone. LocationSmart offered a free demo that’d let anyone see the location of a device by sharing their name, email address, and phone number. The company would then text that number for permission to ping the nearest cellphone tower and return the longitude and latitude of the device.
However, a bug discovered by security researcher Robert Xiao found that the site did not perform checks to block anonymous searches on the site. Xiao’s tests found that he could use LocationSmart’s service to locate any device, with the owner of one phone reporting that the coordinates LocationSmart gave for them was within 100 yards of their actual location.
LocationSmart was made aware of this security flaw and pulled the demo from its site. CEO Mario Prioetti told KrebsOnSecurity that his company offers this location date for “legitimate and authorized purposes” and that it “take[s] privacy seriously” and will be looking into the issue.
The FCC said today that it plans to investigate the LocationSmart website flaw.
Earlier this week, it was reported that a former sheriff of Mississippi County, Mo., was using a service called Securus to track people’s phones without court orders. Securus is normally used to provide and monitor calls to prison inmates, and it gets its location data from LocationSmart.
LocationSmart is meant to provide location data to companies for things like tracking employees and mobile advertising. However, this week has shown that our location data may not be as secure as some people think, and Xiao thinks that more data leaks like this could very well happen in the future. “We’re going to continue to see breaches like this happen until access to this data can be much more tightly controlled,” he told KrebsOnSecurity.