An unsecured API used in a product demo can be exploited by attackers to track phone locations without the consent of end users.
An unsecured product demo on the web site of phone geolocation firm LocationSmart allowed any user to look up the location of any arbitrary mobile phone number without needing to supply a password or any other credentials, according a report by veteran security reporter Brian Krebs.
Under intended operation, the LocationSmart product demo requires prospective customers to input the target phone number, as well as a name and email address. The demo then texts the target phone number first to gain consent for tracking, and then replies with the location and other personally identifiable information in a text to the target phone.
Krebs cites Robert Xiao, a security researcher at Carnegie Mellon University, as having discovered that LocationSmart's demo has no protection against users directly interacting with the API which powers that product demo, potentially allowing malicious users to look up the location of others. In tests, Krebs indicated that one source said the location provided by the service "came within 100 yards [91.4 meters] of their then-current location." By directly interacting with the API, the malicious actors can bypass the consent step, according to Xiao.
The product demo was taken down yesterday following the disclosure. LocationSmart claims to have access to the four major US carriers, as well as US Cellular, and the Canadian carriers Bell, Rogers, and Telus.
SEE: Information security policy (Tech Pro Research)
This revelation follows a report yesterday indicating that Securus--a company that provides smartphone tracking tools for US law enforcement--was hacked, with thousands of pieces of data including account credentials leaked. While Securus focused on the law enforcement market, the backend service provider of that company was LocationSmart, according to a ZDNet report.
This type of identification is not possible to disable by the user--it relies on cell tower triangulation, not the GPS function found in smartphones. Krebs cites an attorney with the Electronic Frontier Foundation as stating that carriers are legally required to be able to determine the approximate location of devices to comply with emergency 911 regulations.
Verizon, AT&T, T-Mobile, and Sprint were contacted by TechRepublic about the nature of their business relationship with LocationSecure, but did not respond by press time.
The big takeaways for tech leaders:
- LocationSmart, the vendor of the recently hacked Securus, had an unsecured API on their website which allowed malicious users to track any phone in the US or Canada.
- This type of identification is not possible to disable by the user--it relies on cell tower triangulation, not the GPS function found in smartphones.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Cell phone tracking firm exposed millions of Americans' real-time locations (ZDNet)
- EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
- Senator wants to know how police can locate any phone in seconds without a warrant (ZDNet)
- If your iOS app shares location data without permission, Apple will pull it (TechRepublic)