FCC investigates LocationSmart website for leaking location data for users of major US mobile carriers
LocationSmart, a company based in Southern California, is under investigation by the FCC after it was discovered that its website made it possible for just about anyone to access location data for the majority of US cell phones.
Security expert Brian Krebs reported that a bug on the LocationSmart website made it possible for anyone to check on the location of any AT&T, Sprint, T-Mobile or Verizon phone in the US. Even more worryingly, the data is said to be accurate to a few hundred yards.
See also:
- Google will require OEMs to provide regular Android security updates
- Chrome will stop highlighting HTTPS sites as secure
- Mark Zuckerberg agrees to appear in front of EU parliament to answer questions about Facebook's use of data
LocationSmart's website included a demonstration tool to show how it worked, while access to real data was meant to be restricted to authorized users for legitimate purposes. Krebs explains how the service is supposed to work: "LocationSmart's demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device's nearest cellular network tower. Once that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map."
But this was not all that was possible. Krebs also reports the findings of Robert Xiao:
According to Xiao, a PhD candidate at CMU's Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.
This is clearly something of great concern to millions of people, and the FCC is now investigating, confirming to Ars Technica that "the matter has been referred to the Enforcement Bureau".
Responding to the incident, Brenda Schafer, a spokesperson for LocationSmart, said:
LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.
The demo tool has been taken offline while an investigation takes place. The news comes just days after LocationSmart was named as the source for data used by a firm called Securus to help police locate cell phones.
Image credit: TippaPatt / Shutterstock