Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Bug Cellphones Security Software Technology

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com) 39

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

This discussion has been archived. No new comments can be posted.

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations

Comments Filter:
  • by Anonymous Coward

    Why are cellular companies even allowed to sell that data to just anyone?

    • by viperidaenz ( 2515578 ) on Thursday May 17, 2018 @05:40PM (#56629488)

      Because they all put it in the terms of service you agreed to and USA has no law that says they can't add that to the contract.

      • I'm pretty sure the Universal Declaration of Human Rights forbids it. Article 12:

        No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

      • Because they all put it in the terms of service you agreed to and USA has no law that says they can't add that to the contract.

        A question. Wasn't it a rule during Obama administration recently voted down by the current Congress and signed by Mr Trump?

        On March 28, Congress voted along party lines to kill a set of rules adopted by the Federal Communications Commission in October that would've forced your internet service provider, or ISP, to ask you before it collected certain personal information.

        The joint resolution that enacts those changes, S.J. Res. 34, was presented by Republican Sen. Jeff Flake of Arizona and cosponsored by 24 other Republicans. President Donald Trump signed the resolution on Monday night, turning it into law.

    • by AHuxley ( 892839 )
      Police and FBI support. DEA and High Intensity Drug Trafficking Area policing. State task forces and city, state police.
      Their hardware and software has to work.
      A cellphone thats too hard to decrypt and track all around the USA is a cell phone that should not be approved.
      • Police and FBI support. DEA and High Intensity Drug Trafficking Area policing. State task forces and city, state police.
        Their hardware and software has to work.
        A cellphone thats too hard to decrypt and track all around the USA is a cell phone that should not be approved.

        Exactly.

        The government loves them some "third-party doctrine". It means that not only does it make it trivial for government to implement mass surveillance/tracking, it also means all these corporations can cash in on your privacy as well, and so can bad actors.

        Glad I don't own a cellphone. Not planning on getting one until this privacy/security stuff is fixed to at least a somewhat reasonable level, which likely means I'll never own a cellphone.

        What needs to happen to force change is to use this to publish

  • by Anonymous Coward

    We need a new law.

    A privacy by default law. Lets call it Title III. Basically Title II lets these ISPs and data hoarders do whatever with this data. They need to be reigned in a bit. Just like Title I restricted the phone companies from basically spying on everyone. This is not the first time this has happened. It is happening right now.

    Would it shock you to know that cell phones are not covered under Title I rules? But II rules. Because they are more flexible.

  • by gatfirls ( 1315141 ) on Thursday May 17, 2018 @05:39PM (#56629482)

    ...popcorn in hand for some company to leak data like this. I always figured it would be something like FB messages which I am fully convinced was the the way the world in 'The Road' became that way.

    If I recall correctly there was a poll that showed in roughly 30% percent of marriages one or both partners admitted to cheating. Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

    • by freeze128 ( 544774 ) on Thursday May 17, 2018 @06:11PM (#56629648)

      Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

      That means 10 million ladies willing to get payback by sleeping with slashdotters! Let the good times roll!

      • Imagine ~10 million married couples finding out about infidelity in the relationship near simultaneously.

        That means 10 million ladies willing to get payback by sleeping with slashdotters! Let the good times roll!

        Five million ladies. The infidelity rate is basically the same for both men and women, hence if 10m marriages have infidelity then around half of them would be cheating wives.

    • by Anonymous Coward
      Yes! I'd bet that Facebook keeps records of every login to a site that uses them for authentication. How many of those married folks are using Tinder? All it would take is a leak of that type of data to destroy many more than 10M marriages.
    • by CODiNE ( 27417 )

      There was that whole Ashley Madison thing... around 10 million accounts. A dozen or so people are known to have committed suicide following it... people got blackmailed for Bitcoin, but it was hardly the end of Western Civilization.

  • by DatbeDank ( 4580343 ) on Thursday May 17, 2018 @05:42PM (#56629506)

    Considering that there are only 4 mobile carriers in the US (Verizon, ATT, Sprint, and T-Mobile) and pretty much everyone underneath is an MVNO leasing space from them, that covers pretty much 95% of the whole US.

    • by DatbeDank ( 4580343 ) on Thursday May 17, 2018 @05:43PM (#56629514)

      Correction, the big 4 mobile carriers are the only games in town. That means everyone with a cell phone has been spied on.

    • by Mousit ( 646085 )
      While I'd agree that the vast, vast majority of U.S. consumers get their service from the Big Four (or an MVNO under them), they aren't the only games in town. U.S. Cellular and C-Spire are #5 and #6 for example. Granted, yes, they're way smaller and regional, but nonetheless other independent wireless companies do exist, and even being "small" they still represent millions of customers each.
  • by Anonymous Coward on Thursday May 17, 2018 @05:43PM (#56629508)

    trivially easy" to skip

    that sheriff should be strung up by the courts and given 30 years for 'hacking'.. as anyone else would get if they were a normal person who did the same thing.

  • There's no such thing as a "police sheriff." Any editor should know that there are police and there are sheriffs. Someone mangled the NYTimes article which says "...the former sheriff of Mississippi County, Mo., used a lesser-known Securus service to track people’s cellphones, including those of other officers, without court orders, according to charges filed against him in state and federal court."
    • by rtb61 ( 674572 )

      There should be the additional charge of hacking a computer network. Once that access right demand comes up and you actively thwart it, you have hacked a computer network and then the other laws come into play. So the computer network crime should take priority. Else it is like claiming a locked door is not secure of there is a pane of glass that can be readily thwarted right next to it. So busted for the lessor crime, failing to adhere to the requirement for warrants, only to face a worse prosecution upon

  • by Anonymous Coward

    Time to back the truck up and wait for payout. stand up and act

  • High time (Score:5, Insightful)

    by Impy the Impiuos Imp ( 442658 ) on Thursday May 17, 2018 @06:16PM (#56629692) Journal

    A company can just buy reak-time tracking data on everyone from the carriers?

    To quote from The Terror,:

    "Go find a carpenter."

    "Why?"

    "It's time to build a gallows."

  • by Iamthecheese ( 1264298 ) on Thursday May 17, 2018 @06:45PM (#56629830)
    Why should I care whether someone had to pay 50 cents per head or whether they got the information with a trivial hack? The real problem is cellphone companies selling out their customers and a severe lack of apps not made by weasels. Privacy now.
  • "Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations"

    Should be:
    "Scummy Cell Phone Carriers (Verizon, AT&T, Sprint, T-Mobile) Sell Real-Time Location Information of Subscribers to Anyone Willing to Pay"

    • by Entrope ( 68843 )

      Laws (and/or regulations, depending on jurisdiction) require the companies to keep that information and make it available to government officials. Securus is supposed to be acting as an agent of government when it does this. Unsurprisingly, neither government nor the middleman do a very good job of access control or oversight.

  • Turn their back on local and state LEA that use and purchase "cell-simulators" that break multiple federal laws regarding spectrum allocation and type accepted equipment use without even discussing privacy issues, AND WE PAY STUPID money for them, AND the agencies are prohibited by an EULA to even admit they posses these devices. HOW DOES THAT WORK? That's even worse than a commercial entity breaking the law.

Keep up the good work! But please don't ask me to help.

Working...