Want to learn someone’s location? Due to some shoddy programming, a US company that hoards cell phone data accidentally gave anyone the disturbing power to do this.
LocationSmart specializes in collecting cell phone data from US wireless carriers as a way to help businesses understand their customers. According to its website, the California company has location data on over 400 million devices.
However, LocationSmart appears to have been careless with that data. A computer scientist noticed on Wednesday that an online demo for one of the company’s services could let anyone plug in a cell phone number, and pull up the device’s location.
The searches were supposed to be limited to only cell phone numbers that had granted consent to the location lookups. To do this, the demo would text or call the phone number and request permission from the owner.
Unfortunately, the demo contained a software bug, according to Robert Xiao, a PhD candidate at Carnegie Mellon University. He was digging around the demo and noticed a flaw in the system’s API that can let you make cell phone location searches without obtaining the owner’s consent.
Xiao disclosed the vulnerability to security journalist Brian Krebs, who verified that the LocationSmart demo could, indeed, pull up someone’s approximate location; he and Xiao tested it on five of Krebs’ trusted sources.
“One of those sources said the longitude and latitude returned by Xiao’s queries came within 100 yards of their then-current location,” Krebs wrote on Thursday. “Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately 1/5 to 1/3 of a mile at the time.”
How long the bug has been around isn’t known, but LocationSmart appears to have taken the demo offline.
Xiao was investigating the company amidst news that it was supplying location data to a little-known prison technology firm called Securus Technologies. Last week, a US senator revealed that Securus was also providing cell phone location lookups to law enforcement and correctional officers without a warrant.
So far, LocationSmart and Securus haven’t commented. But their practices are raising serious questions over why US wireless carriers are handing so much private data to third-party companies, when no controls appear to be in place.
The major wireless providers haven’t detailed their relationships with LocationSmart or Securus. But on Thursday, an AT&T spokesman said: “We don’t permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action.”