Last week, The New York Times reported that a former Missouri sheriff had been using location data provided by the phone tracking company Securus Technologies to track people’s cell phones without obtaining a court order.
That alone would have been concerning, but it turns out the story goes much deeper than a single sheriff. Earlier this week, ZDNet followed up on the Times report, revealing that Securus obtains its data through an intermediary called LocationSmart — a firm that has the ability to track any phone on Verizon, AT&T, T-Mobile or Sprint in seconds.
The story finally came to a head on Thursday when KrebsOnSecurity shared a bombshell.
LocationSmart has a free tool on its website that lets anyone look up the approximate location of their phone. Enter some basic information (name, email, phone number), wait for the site to send a confirmation text to ping your phone from the nearest cell tower, agree, and receive a text with your approximate latitude and longitude.
But here’s the real kicker: CMU PhD candidate Robert Xiao tells Krebs that the tool doesn’t perform any basic checks to prevent a stranger from using the service for unauthorized queries. In other words, all you need is basic knowledge of how to manipulate a website to use the tool to track anyone’s phone at well.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
Xiao said that he was able to use the tool — which, again, was free for anyone with internet access to use until it was taken offline today — to track a friend’s location in real time repeatedly over the course of a few minutes to basically chart a path of where the individual was moving using the coordinates the site texted him.
Krebs and Xiao teamed up for an even more exhaustive test before the service was taken offline:
Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.
One of those sources said the longitude and latitude returned by Xiao’s queries came within 100 yards of their then-current location. Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately 1/5 to 1/3 of a mile at the time.
Without paying for anything, signing any paperwork, providing any passwords, or even confirming their identity, Xiao and KrebsOnSecurity were able to reliably track people without their permission using a free online tool.
“We don’t give away data,” LocationSmart Founder and CEO Mario Proietti said when alerted to the vulnerability. “We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”
Although it is not clear how long the tool has been available to the public, archive.org dates it back to at least January 2017. That’s over 16 months that an unknown number of bad actors could have had access to a tool that would have allowed them to track any cell phone user to within 100 yards of where they were standing.