An insecure api from the US tracking service LocationSmart gave access to the remote location of American mobile customers of all major providers, an American researcher who shared his findings with investigative journalist Brian Krebs
According to Krebs, the service is now offline, but before that he was able to perform tests with five of his contacts, who had given permission. that Xiao would visit them with the service. That worked within seconds, with varying accuracy between 90 meters and 2.4 kilometers. One of the test persons was in Canada. When Krebs asked the company for a response, it only said that it would initiate an investigation and that it would not disclose user data to unauthorized users of its service. According to Krebs it is unclear how long the demo site was in the air. Providers Sprint, Verizon, AT & T and T-Mobile did not want to deny or confirm that they have an agreement with LocationSmart, according to Krebs
A lawyer from the American civil rights organization EFF tells Krebs that there is no possibility for Americans to use of an opt-out when following their location by providers. For example, they would be legally obliged to determine the location of their customers in certain cases. Earlier this week ZDNet wrote on the basis of statements from LocationSmart that the service claimed to use the same techniques as emergency services. According to The New York Times another company, Securus, also used the LocationSmart service. Due to the attention this disclosure drew, Xiao had begun to investigate the service.