LocationSmart is security-dumb. Cell carriers are guilty too

Another data broker is under fire for sloppy security and poor privacy. This time, it’s a company called LocationSmart, which sells your real-time position.

Yes, you heard me right. And accurate to a city block or two.

There are legit reasons to have such data—E911 and roadside rescue, for example. But a researcher discovered he could access anyone’s location without a shred of authentication.

But how does LocationSmart get your coordinates in the first place? Why, your wireless carrier sells it to them, silly—with or without your consent. In this week’s Security Blogwatch, we triangulate the story.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Royal Wedding misheard 

State of Security Operations 2018

JSON ’Jack: Location leakage

What’s the craic? Will Oremus will muse—The Privacy Scandal That Should Be Bigger Than Cambridge Analytica:

Wireless carriers are sharing your real-time location with shady third parties. And a bug lets anyone use that data to track you.

Stop me if you’ve heard this before: A giant company that relies on users to trust it with some of their most intimate personal data turns out to have been abusing that trust by passing that data on to shady third parties … on a massive scale. … Oh, and there’s no way to opt out.

The big U.S. wireless carriers [are] all working with LocationSmart, sending their users’ location data to the firm so that it could triangulate their whereabouts. [But] almost anyone could have used LocationSmart’s site to find the location of almost anyone else, at any time … without any permission or credentials, let alone a warrant.

[The] major wireless carriers have for years been carelessly allowing their users’ location data to be exposed in all kinds of unauthorized and scary ways. … You might think that the major wireless carriers would be facing intense pressure to account for their lax handling of customers’ data.

Who discovered the leak? Robert Xiao locates a LocationSmart API Vulnerability:

A vulnerability in the LocationSmart website … allowed anyone, with no … consent, to obtain the realtime location of any cellphone in the US to within a few hundred feet. … It works regardless of phone operating system or the privacy settings on the device itself.

If you make the … request with requesttype=locreq.json, you get the full location data, without receiving consent. … Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.

Who is to blame? Brian Krebs cycles in, with Please Don’t Share the Where:

AT&T, Sprint, T-Mobile and Verizon are selling [your] location information to third party companies — in real time — without your consent or a court order, and with apparently zero accountability. … Think about what’s at stake. … It is always going to be at extremely high risk of being hacked, stolen and misused.

Earlier this month The New York Times reported that a … data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone. … Then it emerged that Securus had been hacked. … Securus’ data was ultimately obtained from … LocationSmart.

The real blame for this sorry state of affairs comes down to AT&T, Sprint, T-Mobile and Verizon. [And] don’t think for a second that these two tiny companies are the only ones with permission from the mobile giants to look up such sensitive information.

What can we learn? Xiao’s writeup got fein cackling:

The first thing that comes to mind is if this is on a well known framework, I want to know because those security defaults are awful.

However if these guys rolled their own API auth system and messed up something this simple, or deliberately modified framework defaults ... I can't even imagine what conversations happened at their offices this morning.

But what on earth was LocationSmart thinking? gowld goes wild:

Theory: Devops disabled the security flag on the JSON API, in order to perform integration tests, then didn't enable it until reminded.

Is this data-collection legit? Yep, joemck reminds us how so:

Whether or not you enable GPS … all cell phones can be located through … the network.

This is legally required, so that 911 operators can see where you are if you call.

And bigiain has more about how carriers do it:

A large part of what a cellular carrier needs to do is know which cell you're in so it can route traffic to your device. … They literally cannot do what you're paying them for if they cannot locate you down to the nearest cellular base station.

And in most areas, they'll have you connected to enough base stations that they can at least roughly triangulate you using signal strength to estimate distance from multiple cells. I don't know if 3G/4G/LTE allows base stations to calculate TOF roundtrip times to get even better distance accuracy … but it wouldn't surprise me.

Time for a quick anecdote? Okay, here’s gcb0:

I called 911 to report someone driving on the wrong side of a freeway. I was half sleep in the passenger seat and didn't notice we were on another interstate already.

When i said "on highway A" the operator corrected me "don't you mean highway B?" and she was right.

But the JSON vuln is a red herring, according to Iamthecheese:

Why should I care whether someone had to pay 50 cents per head or whether they got the information with a trivial hack? The real problem is cellphone companies selling out their customers and a severe lack of apps not made by weasels.

It’s enough to make you want to ride your bicycle. gatfirls makes the rockin’ world go ’round: [You’re fired—Ed.]

If I recall correctly there was a poll that showed in roughly 30% percent of marriages one or both partners admitted to cheating. Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

Worryingly, gavron notes another problem:

I tried it using my personal cellphone. It told me I was in an area that is 10 miles … from where I actually am.

The last time I was in that area was Friday, four days ago. My phone has been communicating with cell towers over here … for four days solid … so clearly their data is ... um ... wrong.

Meanwhile, here’s addflip to remind us it’s not just E911:

It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could.

The moral of the story? Red-team your auth—before someone else does!

And finally …

Not the Royal Wedding

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Ed Gregory (cc0)

State of Security Operations 2018
Topics: Security