Earlier this week, ZDNet followed up on the Times report, revealing that Securus obtains its data through an intermediary called LocationSmart - a firm that has the ability to track any phone on Verizon, AT&T, T-Mobile or Sprint in seconds.
But according to Xiao, a PhD candidate at CMU's Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. "This is something anyone could discover with minimal effort". Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. Following the issue, the service has been shut down and there is no official explanation from LocationSmart yet.
LocationSmart was among the companies dragged into the public eye this week when it was named among the location-tracking sources used by Securus, a United States telco accused of illegally giving tracking data to police.
Xiao also provided a proof of concept script to show how the (since patched) vulnerability could be exploited in the wild.
"LocationSmart was basically giving free-for-alls to anyone", he said. "The remaining three sources said the location returned for their phones was between approximately 1/5 to 1/3 of a mile at the time". To do this, the demo would text or call the phone number and request permission from the owner. The LocationSmart bug essentially opened this tool up to anybody, the Carnegie Mellon researcher said. "We make it available for legitimate and authorized purposes", Krebs quoted the CEO as saying. While wireless carriers aren't allowed to provide location data to the government, they have complete free reign to sell that data to other businesses - many which have taken advantage of this loophole. Motherboard later reported that Securus experienced its own security breach that exposed the usernames and weakly protected passwords of thousands of Securus customers. The company, named LocationSmart, was dealing with real-time security.
Krebs contacted all four of the major USA mobile carriers, and all declined to confirm or deny a formal business relationship with LocationSmart, despite LocationSmart displaying the carriers' corporate logos on its website.
While LocationSmart customers gave their consent to have the company track their phones' location, they likely did not want anyone to know that information. The service has now been taken down, following the notification by Krebs on Security.