LocationSmart Service Leaked Customer Location Data From All Four Major US Wireless Carriers


Sometimes it feels like security and privacy are myths in this day and age of data leaks, hacking, and everything else. The latest example comes from a LocationSmart, a relatively obscure (to the public) location-as-a-service outfit has been leaking real-time location information of cell phone users on all of the major wireless networks in the United States, including AT&T, Verizon, T-Mobile, and Sprint.

LocationSmart offers a free demo in which anyone can see the approximate location of their own mobile phone simply by entering in their name, email address, and phone number into a form on the company's website. The service then sends a text to the phone number that was entered asking for permission to ping the device's nearest cell phone network tower. If a user consents, LocationSmart tracks the device's longitude and latitude and plots the location on a Google Street View map.

It's easy to see how something like that might be useful or interesting. However, it was recently discovered that LocationSmart was not performing even basic security and privacy checks to ensure that its service was not being abused. Anyone with a bit of knowledge about how websites work could figure out how to look up location data of other users without ever entering in any login information.

"I stumbled upon this almost by accident, and it wasn't terribly hard to do," Xiao, a PhD candidate at CMU's Human-Computer Interaction Institute, told KrebsOnSecurity. "This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples' cell phone without their consent."

Xiao called it "really creepy stuff," noting that when he tested this on a friend's phone (who had given him consent), he was not only able to track his current location, but also his directional movements.

"We don’t give away data," LocationSmart founder and CEO Mario Proietti said in a statement. "We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them."

The service has since been taken offline. However, it's not clear how long this has been going on and what the future plans are, and what, if anything, what actions the nation's largest wireless carriers might take in response to the data flub.