tracking

Auto Added by WPeMatico

LocationSmart didn’t just sell mobile phone locations, it leaked them

What’s worse than companies selling the real-time locations of cell phones wholesale? Failing to take security precautions that prevent people from abusing the service. LocationSmart did both, as numerous sources indicated this week.

The company is adjacent to a hack of Securus, a company in the lucrative business of prison inmate communication; LocationSmart was the partner that allowed the former to provide mobile device locations in real time to law enforcement and others. There are perfectly good reasons and methods for establishing customer location, but this isn’t one of them.

Police and FBI and the like are supposed to go directly to carriers for this kind of information. But paperwork is such a hassle! If carriers let LocationSmart, a separate company, access that data, and LocationSmart sells it to someone else (Securus), and that someone else sells it to law enforcement, much less paperwork required! That’s what Securus told Senator Ron Wyden (D-OR) it was doing: acting as a middle man between the government and carriers, with help from LocationSmart.

LocationSmart’s service appears to locate phones by which towers they have recently connected to, giving a location within seconds to as close as within a few hundred feet. To prove the service worked, the company (until recently) provided a free trial of its service where a prospective customer could put in a phone number and, once that number replied yes to a consent text, the location would be returned.

It worked quite well, but is now offline. Because in its excitement to demonstrate the ability to locate a given phone, the company appeared to forget to secure the API by which it did so, Brian Krebs reports.

Krebs heard from CMU security researcher Robert Xiao, who had found that LocationSmart “failed to perform basic checks to prevent anonymous and unauthorized queries.” And not through some hardcore hackery — just by poking around.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort,” he told Krebs. Xiao posted the technical details here.

They verified the back door to the API worked by testing it with some known parties, and when they informed LocationSmart, the company’s CEO said they would investigate.

This is enough of an issue on its own. But it also calls into question what the wireless companies say about their own policies of location sharing. When Krebs contacted the four major U.S. carriers, they all said they all require customer consent or law enforcement requests.

Yet using LocationSmart’s tool, phones could be located without user consent on all four of those carriers. Both of these things can’t be true. Of course, one was just demonstrated and documented, while the other is an assurance from an industry infamous for deception and bad privacy policy.

There are three options that I can think of:

  • LocationSmart has a way of finding location via towers that does not require authorization from the carriers in question. This seems unlikely for technical and business reasons; the company also listed the carriers and other companies on its front page as partners, though their logos have since been removed.
  • LocationSmart has a sort of skeleton key to carrier info; their requests might be assumed to be legit because they have law enforcement clients or the like. This is more likely, but also contradicts the carriers’ requirement that they require consent or some kind of law enforcement justification.
  • Carriers don’t actually check on a case by case basis whether a request has consent; they may foist that duty off on the ones doing the requests, like LocationSmart (which does ask for consent in the official demo). But if carriers don’t ask for consent and third parties don’t either, and neither keeps the other accountable, the requirement for consent may as well not exist.

None of these is particularly heartening. But no one expected anything good to come out of a poorly secured API that let anyone request the approximate location of anyone’s phone. I’ve asked LocationSmart for comment on how the issue was possible (and also Krebs for a bit of extra data that might shed light on this).

It’s worth mentioning that LocationSmart is not the only business that does this, just the one implicated today in this security failure and in the shady practices of Securus.

Powered by WPeMatico

Mobile phone companies appear to be providing your number and location to anyone who pays

 You may remember that last year, Verizon was punished by the FCC for injecting information into its subscribers’ traffic that allowed them to be tracked without their consent. That practice appears to be alive and well despite being disallowed in a ruling last March: companies appear to be able to request your number, location, and other details from your mobile provider quite easily. Read More

Powered by WPeMatico

User outcry prompts OnePlus to step down its excessive data collection

 Earlier this week, it was revealed that independent phone maker OnePlus was collecting all manner of information from phones running its OxygenOS — without telling users, of course. Caught red-handed, the company is backing off from the opt-out data collection program, giving users a choice up front instead of buried in the options. Read More

Powered by WPeMatico

Wayfindr Is Building An Open Standard For Indoor Navigation By Beacon

Wayfindr A project to probe the viability of using low power Bluetooth Beacon technology as an aid for indoor navigation — with a special focus on helping blind and visually impaired people get around independently — has been awarded a $1 million grant from Google.org to broaden and accelerate its development. Read More

Powered by WPeMatico

Private Social Networking Service Grou.ps Regroups To Focus On Health And Fitness

g-phone White label social networking service Grou.ps is now closed for new signups as the company is changing its strategy from being a general private social networking service to focusing solely on the health and fitness industry. The company is also changing its name from Grou.ps to GymGroups. Grou.ps was one of the first private social networking services on the market — together with… Read More

Powered by WPeMatico

Life360 Acquires Chronos To Add “Quantified Self” Tracking To Its Family Locator App

life360 Life360, the maker of mobile applications for iOS, Android and Windows Phone that help keep families connected, has acquired Chronos Mobile Technologies, a startup behind a number of mobile apps that passively collect data from users’ smartphones in order to highlight trends and connections between various behaviors. Terms of the deal were not disclosed, but Chronos had closed on a… Read More

Powered by WPeMatico