'Unsafe API gave access to location of mobile users in US'

Spread the love

An insecure api from the US tracking service LocationSmart gave access to the remote location of American mobile customers of all major providers, an American researcher who shared his findings with investigative journalist Brian Krebs

Krebs writes that  this week he was approached by security researcher Robert Xiao, who found out that LocationSmart offered a demo of his tracking service on his site. With normal use, the name, e-mail address and telephone number had to be entered to find out the location of a person. That person then received an SMS in which he or she could give permission. Xiao had learned that it was not difficult to abuse the underlying api to find out the location of customers of large American providers without this permission. It is unclear whether data such as name and e-mail address were still needed.
According to Krebs, the service is now offline, but before that he was able to perform tests with five of his contacts, who had given permission. that Xiao would visit them with the service. That worked within seconds, with varying accuracy between 90 meters and 2.4 kilometers. One of the test persons was in Canada. When Krebs asked the company for a response, it only said that it would initiate an investigation and that it would not disclose user data to unauthorized users of its service. According to Krebs it is unclear how long the demo site was in the air. Providers Sprint, Verizon, AT & T and T-Mobile did not want to deny or confirm that they have an agreement with LocationSmart, according to Krebs
A lawyer from the American civil rights organization EFF tells Krebs that there is no possibility for Americans to use of an opt-out when following their location by providers. For example, they would be legally obliged to determine the location of their customers in certain cases. Earlier this week ZDNet wrote on the basis of statements from LocationSmart that the service claimed to use the same techniques as emergency services. According to The New York Times another company, Securus, also used the LocationSmart service. Due to the attention this disclosure drew, Xiao had begun to investigate the service.


You might also like