Last week, the New York Times revealed that an obscure company called Securus
was providing realtime location tracking to law enforcement, without
checking the supposed “warrants” provided by cops, and that their system
had been abused by a crooked sheriff to track his targets, including a
judge (days later, a hacker showed that Securus’s security was terrible, and their service would be trivial to hack and abuse).
At the time, it was hard to understand how Securus was able to access location data from the carriers. Now we know.
Securus is a customer of a “marketing company” called Locationsmart that
has contracts with the four largest US cellular carriers that allow it
to pinpoint the location of any cellular phone in the USA or Canada,
usually within seconds.
Locationsmart exploits a loophole in federal privacy law, which requires
government agencies (including police forces) to get a warrant in order
to retrieve location data from mobile carriers. The loophole, though,
allows mobile carriers to sell this data to marketing companies like
Locationsmart, who can sell that data to anyone they like – including
the government entities who would need a warrant to get the same data
from the carriers.
Locationsmart’s website included a demonstration service that allowed
you to try out their location tracking for free: you entered a cellphone
number, it texted a query to that number asking for permission to
provide the phone’s location, and, if permission was given, it showed
the web-user the phone’s location. The idea was that you could use it
with your own phone number to see how the service worked.
But a Carnegie Mellon security researcher named Robert Xiao looked more
closely and discovered that it was trivial to bypass the
authentication/permission step in the demonstrator, allowing anyone in
the world to track, in realtime, the location of anyone in the USA or
Canada with nothing more than a phone number (Locationsmart took down
the demo portal when they were contacted by security journalist Brian
Krebs).
If you do business with the big four carriers – Verizon, Sprint,
T-Mobile and AT&T – you “agreed” to let them sell this incredibly
sensitive data to muppets like Locationsmart when you signed up for the
service.
