A Security Flaw in a Free Web Service Let Anyone Anonymously Track U.S. Cell Phones
A bug in the free demo version of a service called LocationSmart made it easy for a moderately savvy attacker to anonymously track the location of nearly any U.S. cell phone, before the bug was identified by a security researcher. The flawed tracking portal has since been shuttered, but the incident is a scary reminder that cell phones can be a major risk to personal security and privacy.
LocationSmart allows location tracking of phones on networks including AT&T, Sprint, T-Mobile, and Verizon. It normally requires that a phone’s owner consent to being tracked, and the company markets its service primarily to companies who want to keep track of their own workers, resources, or consenting customers.
But this week Robert Xiao, a PhD candidate at Carnegie Mellon University, told the security site KrebsOnSecurity that he had discovered a huge flaw in a demo tool that LocationSmart provided to potential customers. While the demo tool was supposed to require consent from the user being tracked, Xiao told KrebsOnSecurity that with “minimal effort” the tool could be used to “track most peoples’ cell phone without their consent.”
Get Data Sheet, Fortune’s technology newsletter.
Xiao and Krebs tested the exploit on several cell phone users, including one in Canada. In addition to finding the phones’ location to within 100 yards without the targets’ consent, the data could be plugged into Google Maps to determine the tracked phone’s direction of movement. (The tests were performed only after targets gave permission outside of the LocationSmart system). The exploit, which reportedly hinged on an insecure API feature, did not require that an attacker provide any of their own identity information.
In response to the report, LocationSmart issued a statement Friday saying that it has “resolved” the vulnerability and disabled the exploitable demo. The company also claims “the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission.”
The flaw was discovered, though, following reports that connected LocationSmart to another scary cell-tracking incident. On May 10th, the New York Times reported that a former Missouri sheriff had used a service provided by Securus Technologies to track the locations of private citizens without a court order. ZDNet then discovered that Securus was getting its data from LocationSmart.