LocationSmart boasted that it could find any phone in the US. Now the company is finding itself under investigation.
The Federal Communications Commission has opened an investigation into the California-based company, a day after a security researcher from Carnegie Mellon University exposed a vulnerability on LocationSmart's website.
The cell phone tracking firm offered a free demonstration on its website, where you could track any phone, as long as you had consent from the phone's owner. The flaw, which LocationSmart said it's fixed, would have allowed anyone to use the tracking feature, without needing prior consent.
Robert Xiao said he discovered the flaw within 15 minutes of looking at LocationSmart's website, calling it an "elementary" exploit.
The bug has prompted an investigation from the FCC, the agency said on Friday. An FCC spokesman said LocationSmart's case was being handled by its Enforcement Bureau.
LocationSmart is able to obtain accurate geolocation data on nearly any phone in the US because it buys that data from major US wireless carriers, including T-Mobile, Verizon, AT&T and Sprint. Though wireless carriers aren't allowed to provide location data to the government, they can sell that data to businesses.
Since The New York Times revealed that Securus, an inmate call tracking service, had offered the same tracking service last week, Sen. Ron Wyden, a Democrat from Oregon, called for the FCC and major wireless carriers to investigate these companies.
On Friday, Wyden praised the investigation, but requested the FCC to expand its look beyond LocationSmart.
"The negligent attitude toward Americans' security and privacy by wireless carriers and intermediaries puts every American at risk," Wyden said. "I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans."
He is also calling for FCC Chairman Ajit Pai to recuse himself from the investigation, because Pai was a former attorney for Securus.
In a statement provided on Friday, LocationSmart said that it was investigating the vulnerability to ensure that no customer information was stolen.
"LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist," said Brenda Schafer, LocationSmart's vice president of product and marketing.