The US company Locationsmart has leaked very accurate real-time location data for almost all mobile phones in the United States, writes Krebs on Security.
The company collects location data from phones associated with the mobile networks of AT & T, Sprint, T-Mobile and Verizon, and sells them further. The phones are located by looking at which mobile phone handsets are connected so that in seconds the position can be accurately measured in a few hundred meters.
The US company Locationsmart has leaked very accurate real-time location data for almost all mobile phones in the United States, writes Krebs on Security.
The company collects location data from phones associated with the mobile networks of AT & T, Sprint, T-Mobile and Verizon, and sells them further. The phones are located by looking at which mobile phone handsets are connected so that in seconds the position can be accurately measured in a few hundred meters.
Demo function lacked basic security
Locationsmart has a demo feature where anyone who wants to find the approximate position of their own mobile phone can enter their name, email address and phone number. The user then receives an SMS where he or she can give permission to "ping" the nearest mobile mast. In return, you get the location plotted onto a Google map.
However, security expert Robert Xiao at Carnegie Mellon University discovered that the demo function lacks the basic functionality to prevent someone from asking for the position of a phone other than the one himself owns. It is easy to bypass the requirement that the user himself must approve to be traced. The technical details of how it is done is here.
Xiao contacted Krebs on security, who wrote about the matter. Krebs on Security got permission to track the phones to five different people, and in seconds they could see the position of all - without the subjects themselves having to approve something.
Locationsmart states that they only offer positioning services for legitimate purposes - but on the company's websites, everything is mentioned from monitoring where employees are employed for marketing purposes towards consumers located in certain areas.
The company also sells location data to the company Securus, which, according to Motherboard, was subjected to a hacker attack a few days ago. Securus supplies the positioning of phones to US police and prisons, and acts as a kind of intermediary between US mobile operators and US authorities. The New York Times recently wrote about how the service meant to monitor calls to prisoners can also be used to monitor random people.
"We take privacy seriously
In a statement to Krebs on Security, Locationsmarts chief executive Mario Proietti says that the company is currently investigating the matter.
- We do not give away data. We make them available for legitimate and authorized purposes. It is based on legitimate and authorized use of location data provided only when the user has granted permission. We take privacy seriously and we will review all the facts, "said Proietti.
None of the major US mobile operators have wanted to verify or declare that they are working with Locationsmart, but Locationsmart provides operators as collaborators on their websites. AT & T says to Krebs on Security that they do not allow the sharing of location information without the customer has approved it, or as required by law enforcement authorities.
Demo service is now taken down.