Vulnerability in LocationSmart Could Be Exploited to Track Any User

LocationSmart claimed that it could locate any phone in the United States, and now it is being investigated after a security researcher exposed a security vulnerability on its website. As a result, the Federal Communications Comission (FCC) has started an investigation against the California-based company.

More about LocationSmart

LocationSmart’s service is able to obtain accurate geolocation data on nearly any mobile phone in the US. To be able to do so, the website buys data from major US wireless carriers such as T-Mobile, Verizon, AT&T and Sprint. Though wireless carriers aren’t allowed to provide location data to the government, they can sell that data to businesses, CNET recently explained.

The vulnerability within the phone-tracking website LocationSmart could have been easily exploited to track any user of a mobile device registered via a major U.S. cellular carrier, in real time, with a quite precise accuracy.

LocationSmart featured a free demonstration on its website, where anyone could track any phone, as long as there was consent from the phone’s owner. The flaw, which is already addressed, would have allowed anyone to use the tracking feature, without the need of prior consent.

Researcher Robert Xiao claims that he needed less than 15 minutes to uncover the vulnerability, after having a look at LocationSmart’s offivial website. Considering how easy it was for him to find the bug, the classified it as an elementary exploit. The vulnerability then incited an FCC investigation, with the Enforcement Bureau leading the process.

On top of that, the Ney York Times recently revealed that Securus, an inmate call tracking service, offered the same tracking service. These two events pushed Sen. Ron Wyden, a Democrat from Oregon, demanded the FCC and major wireless carriers to investigate (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: