Website bug allows people to track cell phones without permission

Recently, US Democrat senator John Widen sent a formal complaint to the FCC (Federal Communications Commission) regarding a phone tracking device that allows the police to track pretty much any phone in the US. Following this, it has been reported that an even worse tracking system has been used to track mobile phones in the United States and it can be used by anyone. This system is called LocationSmart and it is a phone tracking service that can specify the location of mobile phones connected to carrier networks from leading companies like AT&T, Sprint, Verizon and T-Mobile.

That is not all, recognized security expert Brian Krebs revealed that in the free demo of the location tracking solution, there is a bug that can be easily exploited. The free API had been allowing anyone with basic coding skills to track pretty much any mobile phone in the United States. It could be previously found on LocationSmart’s website. The location tracking demo was meant to allow users to try the technology by checking the location of their own phone. It gave users who were interested in the tool, the chance to test it by providing their personal data such as name, email address and phone number.

A bug that compromised privacy

The information was entered into an online form and after that, the user will get an SMS message requesting their permission to approximate their device’s position with the help of cell tower triangulation. The issue is that security researchers found a way to get around the SMS authorization process. This allowed them to query the location of any phone in the US with the online demo tool, showing its vulnerabilities.

While the bug was found by researchers by accident, its discovery shows how easy it is to exploit the demo tool to track people’s phone without their authorization. By performing only a few changes, experts at Carnegie Mellon University were able to bypass the requirement for phone users to consent via SMS before tracking could be done. Understandably, researchers expressed their concern at how easy it was to circumvent the need to ask for permission to track a device.

They also explained that the process works on any device, regardless of the operating system or privacy settings. This is because it is based on the carrier and it is not even possible to opt out. Following the controversy, LocationSmart, the company behind the tracking technology stated that it will launch an investigation and it removed the demo tool from its website. LocationSmart also claimed that the technology was designed with the base of legitimate and authorized use of location data that is only enabled upon request. It stated that it will review what happened in this case.

Breach of privacy

The information regarding the bug was revealed just a few days after Senator Ron Wyden expressed his concerns regarding the way in which customers’ data is handled by companies and affiliated third-parties. According to Senator Wyden, the security breaches exposed show that companies have little respect for consumers’ privacy. Brian Krebs even contacted the four cell phone carriers that were impacted by the bug, but they didn’t want to confirm if they had worked with LocationSmart or not. Still, Krebs stated that it is likely that the demo has been available for exploit as early as 2011. This is only an estimated, but what is known for sure is that the issue has been occurring since the start of 2017.

The Electronic Frontier Foundation also took part in the discussion, stating that by law, companies are required to keep location data to make sure that it is available to emergency services. Still, there is no clarity about the legality of carriers selling it to companies such as LocationSmart, without customers’ permission. At the moment, there is a pending investigation and once the FCC concludes it, more information should be available. In the meantime, it is expected that the issue will still be discussed and causing concern among mobile phone users in the US.