Tracking firm caught leaking realtime location data of US Mobile users

Location tracking firm “LocationSmart” has been caught putting the physical security of US citizens at risk and its data collection tactics have opened a new pandora box.

A United States-based location-as-a-service (LaaS) firm “LocationSmart” known for providing real-time location data of cellphones users in the country has been caught leaking that information due to a vulnerability in its website.

The vulnerability was discovered by Carnegie Mellon University’s security researcher Robert Xiao on May 16th who noted that LocationSmart’s “try” page on the website allowed anyone without any authorization or password to collect real-time location data of any cell phone user in the United States within a few 100 feet.

Major US mobile carrier sell data to LocationSmart

LocationSmart recently made headlines for selling location data of users to a prison telecom and location tracking firm Securus. The sold data belonged to users of major US mobile carriers since the firm partners with AT&T, Verizon, Sprint, and Canadian telecom firms like Rogers, Bell, and Telus.

Simply put: The firm would take data from aforementioned telecom companies and sell it to Securus who would then improperly share that data with law enforcement. Securus’s activities were originally reported by the New York Times, however, days after the report Securus was hacked when an unknown hacker stole login credentials, usernames, emails, poorly hashed passwords, phone number, and security questions of 2800 customers.

Securus had admitted that it usually obtains data from 3CInteractive, a mobile marketing company, who receives data from LocationSmart which mean Securus utilizes LocationSmart’s API for initiating web-based tracking.

Tracking firm caught leaking realtime location data of US Mobile users
From LocationSmart’s website

Soon after the Securus breach, Xiao reported the vulnerability to US-CERT and cybersecurity journalist Brian Krebs. Upon further digging, Krebs found out that LocationSmart’s vulnerability allowed anyone to abuse the service since it failed to perform basic checks.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent,” Xiao told Krebs.

No way out

According to Electronic Frontier Foundation’s (EFF) staff attorney Stephanie Lacambra, US wireless customers cannot opt out of location tracking by their own mobile providers. Therefore, turning off location services or making changes in your privacy setting will not stop firms like LocationSmart and Securus from tracking your precise location in real time.

“This is precisely why we have lobbied so hard for robust privacy protections for location information. It really should be only that law enforcement is required to get a warrant for this stuff, and that’s the rule we’ve been trying to push for,” said Lacambra.

FCC to investigate LocationSmart flaw

The flaw in LocationSmart’s website was not an ordinary flaw since it risked the physical security of millions of Americans and Canadian citizens. In a report, Reuters has confirmed that The U.S. Federal Communications Commission (FCC) will be investigating the flaw after Senator Ron Wyden, a Democrat urged the FCC to look into the matter.

“The location aggregation industry has operated with essentially no oversight by the Federal Communications Commission. The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans’ privacy and safety. I’m pleased the FCC is opening an investigation into the reported data leak by LocationSmart.” Wyden said.

“The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk. I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans.”

At the time of publishing this article, LocationSmart had removed the flawed link from its website. However, this is not the first time when a firm has been caught tracking location data of unsuspected users. Previously, Google admitted collecting real-time location data of Android users even if their location service was off.

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.