‘Insecure API gave access to mobile users’ location in US’

An insecure API of the US tracking service LocationSmart gave access to the location of US mobile customers of all major carriers, a US researcher who shared his findings with investigative journalist Brian Krebs discovered.

Krebs writes that he was approached this week by security researcher Robert Xiao, who found out that LocationSmart was offering a demo of its tracking service on its site. In normal use, the name, e-mail address and telephone number had to be entered there to determine the location of a person. That person then received a text message in which he or she could give permission. Xiao had found that it was not difficult to abuse the underlying api to find out the location of customers of major American providers without this permission. It is unclear whether data such as name and e-mail address were still required.

The service is now offline, Krebs said, but before that happened, he was able to run tests with five of his contacts, who had authorized Xiao to visit them with the service. This was achieved within seconds, with varying accuracy between 90 meters and 2.4 kilometers. One of the test subjects was in Canada. When Krebs asked the company for a response, it said only that it would investigate and that it would not disclose user data to unauthorized users of its service. According to Krebs, it is unclear how long the demo site was up and running. Carriers Sprint, Verizon, AT&T and T-Mobile would not deny or confirm that they have an agreement with LocationSmart, Krebs said.

A lawyer for the American civil rights organization EFF tells Krebs that there is no option for Americans to opt-out of tracking their location by providers. For example, they would be legally obliged to be able to determine the location of their customers in certain cases. Earlier this week, ZDNet wrote based on statements from LocationSmart itself that the service claimed to use the same techniques as emergency services. However, it is not entirely clear how the company obtains the location data. According to The New York Times, another company, Securus, also used the LocationSmart service. The attention this revelation attracted led Xiao to investigate the service.

Leave a Comment