An unsecured product demo on the web site of phone geolocation firm LocationSmart allowed any user to look up the location of any arbitrary mobile phone number without needing to supply a password or any other credentials, according a report by veteran security reporter Brian Krebs.

Under intended operation, the LocationSmart product demo requires prospective customers to input the target phone number, as well as a name and email address. The demo then texts the target phone number first to gain consent for tracking, and then replies with the location and other personally identifiable information in a text to the target phone.

Krebs cites Robert Xiao, a security researcher at Carnegie Mellon University, as having discovered that LocationSmart’s demo has no protection against users directly interacting with the API which powers that product demo, potentially allowing malicious users to look up the location of others. In tests, Krebs indicated that one source said the location provided by the service “came within 100 yards [91.4 meters] of their then-current location.” By directly interacting with the API, the malicious actors can bypass the consent step, according to Xiao.

The product demo was taken down yesterday following the disclosure. LocationSmart claims to have access to the four major US carriers, as well as US Cellular, and the Canadian carriers Bell, Rogers, and Telus.

SEE: Information security policy (Tech Pro Research)

This revelation follows a report yesterday indicating that Securus–a company that provides smartphone tracking tools for US law enforcement–was hacked, with thousands of pieces of data including account credentials leaked. While Securus focused on the law enforcement market, the backend service provider of that company was LocationSmart, according to a ZDNet report.

The existence of both cases raise the larger question of how LocationSmart is obtaining this data to begin with. Kevin Bankston, director of New America’s Open Technology Institute, indicated to ZDNet that the Electronic Communications Privacy Act only prohibits telecoms from disclosing data to the government, but permits companies to disclose it to other companies. According to Bankston, law enforcement may be using that as a loophole, by using companies like Securus as an intermediary. Assuming that LocationSmart has a business relationship with the mobile carriers, this vulnerability would undoubtedly run afoul of their privacy policy, to say nothing of legal requirements of companies to protect against the disclosure of personally identifiable information.

This type of identification is not possible to disable by the user–it relies on cell tower triangulation, not the GPS function found in smartphones. Krebs cites an attorney with the Electronic Frontier Foundation as stating that carriers are legally required to be able to determine the approximate location of devices to comply with emergency 911 regulations.

Verizon, AT&T, T-Mobile, and Sprint were contacted by TechRepublic about the nature of their business relationship with LocationSecure, but did not respond by press time.

The big takeaways for tech leaders:

  • LocationSmart, the vendor of the recently hacked Securus, had an unsecured API on their website which allowed malicious users to track any phone in the US or Canada.
  • This type of identification is not possible to disable by the user–it relies on cell tower triangulation, not the GPS function found in smartphones.