Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com)

Posted by BeauHD on from the location-services dept.

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

39 comments

  1. Re: Itâ(TM)s called android by Anonymous Coward · · Score: 0

    iPhone tard strike again!

  2. Why?!? by Anonymous Coward · · Score: 1

    Why are cellular companies even allowed to sell that data to just anyone?

    1. Re:Why?!? by viperidaenz · · Score: 3

      Because they all put it in the terms of service you agreed to and USA has no law that says they can't add that to the contract.

    2. Re:Why?!? by AHuxley · · Score: 1

      Police and FBI support. DEA and High Intensity Drug Trafficking Area policing. State task forces and city, state police.
      Their hardware and software has to work.
      A cellphone thats too hard to decrypt and track all around the USA is a cell phone that should not be approved.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re: Why?!? by Anonymous Coward · · Score: 0

      LOL
      Welcome to the police state.
      Everyone loves a totalitarian government.

    4. Re:Why?!? by Errol+backfiring · · Score: 1
      I'm pretty sure the Universal Declaration of Human Rights forbids it. Article 12:

      No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    5. Re:Why?!? by BlueStrat · · Score: 1

      Police and FBI support. DEA and High Intensity Drug Trafficking Area policing. State task forces and city, state police.
      Their hardware and software has to work.
      A cellphone thats too hard to decrypt and track all around the USA is a cell phone that should not be approved.

      Exactly.

      The government loves them some "third-party doctrine". It means that not only does it make it trivial for government to implement mass surveillance/tracking, it also means all these corporations can cash in on your privacy as well, and so can bad actors.

      Glad I don't own a cellphone. Not planning on getting one until this privacy/security stuff is fixed to at least a somewhat reasonable level, which likely means I'll never own a cellphone.

      What needs to happen to force change is to use this to publish tracking data for top federal officials and politicians. After some high-ups in the FBI, DHS, etc and Congress get their undies aired in public things may change.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    6. Re:Why?!? by Anonymous Coward · · Score: 0

      Oh, let's see what should I use this time......

      Since when did the US start abiding by international agreements?

      Don't worry the right to contract includes the ability to wave other rights to protect ur freedomz Citizen! Don't let those lessers in the shitholes mislead you. Our freedom is perfect.

      Corporations are people too.

      In Soviet United States, contracts dictate you.

      Quick, someone get a contract that forbids the president from vetoing laws! /sarcasm

      So many to choose from......

    7. Re:Why?!? by AlwinBarni · · Score: 1

      Because they all put it in the terms of service you agreed to and USA has no law that says they can't add that to the contract.

      A question. Wasn't it a rule during Obama administration recently voted down by the current Congress and signed by Mr Trump?

      On March 28, Congress voted along party lines to kill a set of rules adopted by the Federal Communications Commission in October that would've forced your internet service provider, or ISP, to ask you before it collected certain personal information.

      The joint resolution that enacts those changes, S.J. Res. 34, was presented by Republican Sen. Jeff Flake of Arizona and cosponsored by 24 other Republicans. President Donald Trump signed the resolution on Monday night, turning it into law.

    8. Re:Why?!? by Anonymous Coward · · Score: 0

      That document is nice and all, but it's not law. (In the US, see Sosa v. Alvarez-Machain (2004). Other countries see it similarly).

  3. We need a new law by Anonymous Coward · · Score: 2

    We need a new law.

    A privacy by default law. Lets call it Title III. Basically Title II lets these ISPs and data hoarders do whatever with this data. They need to be reigned in a bit. Just like Title I restricted the phone companies from basically spying on everyone. This is not the first time this has happened. It is happening right now.

    Would it shock you to know that cell phones are not covered under Title I rules? But II rules. Because they are more flexible.

    1. Re:We need a new law by viperidaenz · · Score: 2

      Let me guess, voip services sold as a replacement for traditional phone lines are also under Title II rules?

  4. I've been waiting... by gatfirls · · Score: 2

    ...popcorn in hand for some company to leak data like this. I always figured it would be something like FB messages which I am fully convinced was the the way the world in 'The Road' became that way.

    If I recall correctly there was a poll that showed in roughly 30% percent of marriages one or both partners admitted to cheating. Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

    1. Re:I've been waiting... by freeze128 · · Score: 3, Funny

      Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

      That means 10 million ladies willing to get payback by sleeping with slashdotters! Let the good times roll!

    2. Re:I've been waiting... by Anonymous Coward · · Score: 1

      Yes! I'd bet that Facebook keeps records of every login to a site that uses them for authentication. How many of those married folks are using Tinder? All it would take is a leak of that type of data to destroy many more than 10M marriages.

    3. Re:I've been waiting... by CODiNE · · Score: 1

      There was that whole Ashley Madison thing... around 10 million accounts. A dozen or so people are known to have committed suicide following it... people got blackmailed for Bitcoin, but it was hardly the end of Western Civilization.

      --
      Cwm, fjord-bank glyphs vext quiz
    4. Re:I've been waiting... by Anonymous Coward · · Score: 0

      True, but people found after the fact that very few of the accounts were actual paying members and anyone with a lick of sense wouldn't sign up for something like that with their 'main' email. IIRC something like 3% of the female accounts were proven to be bogus. Also just having an account there isn't indicative of what you actually did do. GPS mapping of every day of your life would.

      Of course 'The Road' reference was hyperbole but something like this data being leaked would be insane because literally every person in the US with something to hide based on location-time would/could be exposed. Call in sick to go to a game, busted. Sneaking out at night with friends from school, busted. Lunchtime romps in the park, busted.

    5. Re:I've been waiting... by goose-incarnated · · Score: 1

      Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

      That means 10 million ladies willing to get payback by sleeping with slashdotters! Let the good times roll!

      Five million ladies. The infidelity rate is basically the same for both men and women, hence if 10m marriages have infidelity then around half of them would be cheating wives.

      --
      I'm a minority race. Save your vitriol for white people.
  5. Four of the largest US Carriers... by DatbeDank · · Score: 4, Insightful

    Considering that there are only 4 mobile carriers in the US (Verizon, ATT, Sprint, and T-Mobile) and pretty much everyone underneath is an MVNO leasing space from them, that covers pretty much 95% of the whole US.

    1. Re:Four of the largest US Carriers... by DatbeDank · · Score: 3, Insightful

      Correction, the big 4 mobile carriers are the only games in town. That means everyone with a cell phone has been spied on.

    2. Re:Four of the largest US Carriers... by Mousit · · Score: 1

      While I'd agree that the vast, vast majority of U.S. consumers get their service from the Big Four (or an MVNO under them), they aren't the only games in town. U.S. Cellular and C-Spire are #5 and #6 for example. Granted, yes, they're way smaller and regional, but nonetheless other independent wireless companies do exist, and even being "small" they still represent millions of customers each.

  6. how about no double standards here... by Anonymous Coward · · Score: 5, Insightful

    trivially easy" to skip

    that sheriff should be strung up by the courts and given 30 years for 'hacking'.. as anyone else would get if they were a normal person who did the same thing.

    1. Re:how about no double standards here... by Actually,+I+do+RTFA · · Score: 1

      He's being charged. What more do you want?

      --
      Your ad here. Ask me how!
  7. What's a "police sheriff"? by rtfa0987 · · Score: 1, Insightful

    There's no such thing as a "police sheriff." Any editor should know that there are police and there are sheriffs. Someone mangled the NYTimes article which says "...the former sheriff of Mississippi County, Mo., used a lesser-known Securus service to track people’s cellphones, including those of other officers, without court orders, according to charges filed against him in state and federal court."

    1. Re:What's a "police sheriff"? by rtb61 · · Score: 1

      There should be the additional charge of hacking a computer network. Once that access right demand comes up and you actively thwart it, you have hacked a computer network and then the other laws come into play. So the computer network crime should take priority. Else it is like claiming a locked door is not secure of there is a pane of glass that can be readily thwarted right next to it. So busted for the lessor crime, failing to adhere to the requirement for warrants, only to face a worse prosecution upon investigation, hacking a computer network.

      --
      Chaos - everything, everywhere, everywhen
  8. sue sue sue by Anonymous Coward · · Score: 1

    Time to back the truck up and wait for payout. stand up and act

  9. High time by Impy+the+Impiuos+Imp · · Score: 4, Insightful

    A company can just buy reak-time tracking data on everyone from the carriers?

    To quote from The Terror,:

    "Go find a carpenter."

    "Why?"

    "It's time to build a gallows."

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  10. The website bug is a red herring. by Iamthecheese · · Score: 3, Insightful

    Why should I care whether someone had to pay 50 cents per head or whether they got the information with a trivial hack? The real problem is cellphone companies selling out their customers and a severe lack of apps not made by weasels. Privacy now.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    1. Re:The website bug is a red herring. by Anonymous Coward · · Score: 0

      The real problem is ...

      This is the low-hanging fruit: There are laws against government snooping and against unauthorized access of data for personal gain.

      To agree with you, I note there's no attempt to punish LocationSmart for glaring, inadequate security controls. That's why this will happen again.

  11. Headline is so wrong it's not even funny. by Xenolith0 · · Score: 1

    "Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations"

    Should be:
    "Scummy Cell Phone Carriers (Verizon, AT&T, Sprint, T-Mobile) Sell Real-Time Location Information of Subscribers to Anyone Willing to Pay"

    1. Re:Headline is so wrong it's not even funny. by Entrope · · Score: 1

      Laws (and/or regulations, depending on jurisdiction) require the companies to keep that information and make it available to government officials. Securus is supposed to be acting as an agent of government when it does this. Unsurprisingly, neither government nor the middleman do a very good job of access control or oversight.

    2. Re:Headline is so wrong it's not even funny. by Anonymous Coward · · Score: 0

      You're behind the times. That was the headline two days ago. This is just keeping the scandal alive. But since American attention spans are now down to goldfish proportions, it will be quickly forgotten without any action taken. How many people even remember that the USPS stores scans of all the mail items it handles?

    3. Re:Headline is so wrong it's not even funny. by Anonymous Coward · · Score: 0

      Laws (and/or regulations, depending on jurisdiction) require the companies to keep that information and make it available to government officials.

      Lies / fake news. What law. Cite it.

    4. Re:Headline is so wrong it's not even funny. by Anonymous Coward · · Score: 0

      Hey dipshit, ever hear of CALEA?

  12. Re: Itâ(TM)s called android by Anonymous Coward · · Score: 0

    Is this the freedom your guns win you, working well then. Sad.

  13. And the Feds by fred911 · · Score: 1

    Turn their back on local and state LEA that use and purchase "cell-simulators" that break multiple federal laws regarding spectrum allocation and type accepted equipment use without even discussing privacy issues, AND WE PAY STUPID money for them, AND the agencies are prohibited by an EULA to even admit they posses these devices. HOW DOES THAT WORK? That's even worse than a commercial entity breaking the law.

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  14. Here's what I want, what I really really want... by Anonymous Coward · · Score: 0

    He's being charged. What more do you want?

    A conviction, with some real jailtime.