Phone-tracking firm had bug that let anyone track millions of Americans

It seems LocationSmart's phone-tracking feature isn't smart with security or privacy.

The cell phone tracking firm, which CNET sister site ZDNet discovered was providing location data using "direct connections" to major US wireless carriers, offered a free demonstration on its website for potential customers to track any phone's location in real time. 

In ZDNet's test, the results were incredibly accurate, pinpointing locations within a city block.

All you had to do for the free trial was make sure you had consent from the phone number's owner, whom LocationSmart said it would text or call. But a simple bug on LocationSmart's website let a researcher from Carnegie Mellon University get around that requirement and track any phone without limitations. 

Robert Xiao, a doctoral student at Carnegie Mellon University's Human-Computer Interaction Institute, said he discovered the bug within 15 minutes after finding LocationSmart's website. By then, he was certain LocationSmart had a flaw that let anyone with an "elementary" understanding of websites track millions of people online without them knowing, and free of charge.

"LocationSmart was basically giving free-for-alls to anyone," he said. 

LocationSmart uses geolocation data it buys from major US wireless carriers, including T-Mobile, Verizon, AT&T and Sprint. Though wireless carriers aren't allowed to provide location data to the government, they can sell that data to businesses. 

A New York Times report last week revealed that Securus, an inmate call tracking service, had offered the same technology to find anyone's phone in the US within seconds. The LocationSmart bug essentially opened up this tool to anybody, the Carnegie Mellon researcher said.

He'd tricked LocationSmart's website because the page wasn't properly verifying that a person received the required consent. All Xiao needed to do was have the website return a different format for his requests, he said.

Xiao first tried it on his own phone, then asked several of his friends to see if he could try it with their phone numbers.

"I had a friend driving around Hawaii, and I watched him driving around the island with his permission," Xiao said. "It was clear to me at that point that nobody I had contacted received a text message or notification while I was tracking them." 

After discovering the flaw, he reached out to the United States Computer Emergency Readiness Team, to disclose the vulnerability, and journalist Brian Krebs, who first reported the story. 

LocationSmart's demo page has been disabled, Brenda Schafer, LocationSmart's vice president of product and marketing, said in a statement Friday. The company said it's resolved the vulnerability and that it's investigating if anyone other than Xiao accessed the bug. 

"We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission," Schafer said.

Last week, Sen. Ron Wyden, a Democrat from Oregon, requested that the Federal Communications Commission and major wireless carriers investigate abuses of geolocation data. 

In a statement Thursday, Wyden said the flaw in LocationSmart's website showed "how little companies throughout the wireless ecosystem value Americans' security." 

Calling for the FCC to intervene, Wyden added, "The threats to Americans' security are grave -- a hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child's cell phone to know when they were alone. The dangers from LocationSmart and other companies are limitless."

CNET's Laura Hautala contributed to this report.

First published May 17, 1:34 p.m.
Updates, 3:08 p.m.: Adds comment from Sen. Wyden; May 18 at 12:42 p.m.: Includes response from LocationSmart.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.