Firm exposes cell phone location data on US customers

A U.S.-based company called LocationSmart inadvertently exposed data on the precise location of mobile phones on its website as a result of a software vulnerability.

The company, based in California, partners with wireless carriers to collect real-time data on the location of cellphones that it then sells to other companies for marketing and other purposes.

LocationSmart, until Thursday, offered a free demo service on its website that allowed a user to enter their name, email address and cellphone number to test out how the company determines their precise location. 

{mosads}

However, Robert Xiao, a security researcher at Carnegie Mellon University, recently discovered that a flaw in the demo service allowed an individual to abuse it to obtain location data on any mobile number, not only their own. Krebs on Security first reported the bug on Thursday.

LocationSmart took the demo service offline after being notified of the flaw. In a statement to The Hill, the company said that the vulnerability had been “resolved” and the demo service disabled.

The company said it has confirmed the vulnerability was not exploited to reveal sensitive location data before May 16, the day Xiao tested out the service.

The Federal Communications Commission (FCC) is now investigating reports of the website vulnerability, Reuters reported Friday afternoon.

The demo service, if exploited, could have been used to reveal precise location data on AT&T, Sprint, T-Mobile and Verizon customers in the United States. Xiao discovered and confirmed the flaw by testing whether he could use the service to track the location of the mobile phones of his friends.

In a description of the bug posted to his personal website, Xiao said that he had contacted the Department of Homeland Security’s Computer Emergency Readiness Team to coordinate the disclosure of the vulnerability.

LocationSmart insisted that no customer information was improperly obtained because of the flaw. 

“The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled,” a spokesperson for the company said Friday in a statement.

“We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission,” the spokesperson said.

The company stated further that it is “continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist.”

It is unclear how long the flawed service was live on LocationSmart’s website before being taken down this week. 

The revelation of the bug comes days after The New York Times reported that Securus Technologies, a firm that provides telephone services to prisons, had been providing data on customers to a former Mississippi County sheriff without court orders. 

That firm has attracted scrutiny from Sen. Ron Wyden (D-Ore.), who wrote to the FCC earlier this month to request an investigation into the “abusive and potentially unlawful practices” of wireless carriers that allowed the company access to the location data.

A subsequent report from ZDNet suggested that Securus Technologies had obtained the location data from LocationSmart.

This post was updated at 4:45 p.m.