قالب وردپرس درنا توس
Home / Business / Website errors exposed real-time locations of US cell phones

Website errors exposed real-time locations of US cell phones



A California Web site vulnerability that collects real-time data on mobile devices would have allowed anyone to locate the location of an AT & T, Verizon, Sprint, or T-Mobile mobile phone in the United States hundreds of feet away to determine. A security researcher said:

The participating company LocationSmart in Carlsbad, California, works in a little-known business sector that provides companies with data for employee tracking and e-coupon shipping to customers near relevant businesses] Among the customers which identifies LocationSmart on its website are the American Automobile Association, FedEx and the insurance carrier Allstate. LocationSmart did not immediately respond to emails and phone messages that wanted to comment on the error and its business practices.

The mistake LocationSmart was first reported by independent journalist Brian Krebs. It is the latest case that highlights how easy it is for wireless service providers to share or sell customers' geolocation information without their consent.

The New York Times reported earlier this month that a company called Securus Technologies accused a former Sheriff of Missouri of providing location data on mobile customers using the data to prosecute individuals without a court order. On Wednesday, Motherboard reported that Securus' servers had been searched by a hacker who had stolen user data, most of which belonged to law enforcement agencies.

Securus may have received its location data indirectly from LocationSmart. Securus officials told the office of Senator Ron Wyden, an Oregon Democrat, that they had received the data from a company called 3Cinterative, Wyden spokesman Keith Chu said. LocationSmart lists 3Cinteractive among its customers on its website.

Wyden said the LocationSmart and Securus cases underscore the "boundless dangers" that Americans are facing due to a lack of federal regulations on geolocation data.

"A hacker could have used this site to know when you were in your house so they would know when to rob it, a robber could track down your child's cell phone to know when they were alone," he said in a statement.

LocationSmart took the flawed website offline on Thursday, one day after Carnegie Mellon University's computer science student, Robert Xiao, discovered and notified the software error. The company, said Xiao of the Associated Press.

The doctoral researcher said the bug "allowed anyone anywhere in the world to look up the location of a US cell phone," Xiao said. "I could enter any 1

0-digit phone number," he added, "and I could pinpoint the location for everyone."

The site has been designed so that visitors can test the service of LocationSmart by entering their mobile number. Then the service called his phone or sent a text message to get his consent. He then indicated the location of the phone – generally at several hundred meters.

But Xiao found a mistake that allowed him to get around approval in just 15 minutes. "There would not be much time for anyone with enough technical knowledge to find that," he said. He wrote a script to take advantage of it.

"It was just surreal when I discovered that," he said. Xiao's research revealed that LocationSmart had been offering the service since at least January 2017.

LocationSmart describes itself as the "world's largest location-as-service company". It says it receives location information from all major US and Canadian mobile operators 95% coverage

AT & T and Sprint representatives said they do not allow sharing of location information without individual consent or a lawful order such as a warrant. Verizon spokesman Rich Young said the company has taken steps to ensure that Securus can no longer request information about the company's mobile subscribers and that it reviews its relationship with LocationSmart.

T-Mobile did not immediately respond to a request.

Gigi Sohn, a former Federal Communications Commission top adviser to the Obama administration, said users' location data has been under serious threat since last year. At that time, Congress abolished FCC privacy rules, which prevented mobile operators from sharing or selling them without the express consent of customers.

"Consumers should be able to decide if a company like LocationSmart should have access to this data at all," she said.


Source link