CMU Student Discovers Website Leaking Locations of Cell Phone Customers

HCII Ph.D. student Robert Xiao uncovered a security vulnerability on the website of a company that provides a service for identifying the real-time location of mobile phones in the U.S. and Canada.

Some cybersleuthing by Robert Xiao, a Ph.D. student in the Human-Computer Interaction Institute, uncovered a security vulnerability on the website of LocationSmart, a Carlsbad, Calif., company that provides a service for identifying the real-time location of mobile phones in the United States and Canada.

Though the service routinely requires customer approval before it reveals any phone's location, Xiao was able to access anyone's phone location after only about 15 minutes of exploration of the site on May 16, without getting any individual's permission.

"I actually couldn't believe my eyes," Xiao said. "I shouldn't be able to type in anybody's phone number and find out where they are."

Xiao reported the vulnerability through the CERT Coordination Center on May 16, and notified the Federal Trade Commission on the morning of May 17. Within a few hours, the site was taken down, and the FTC announced today that it will investigate.. But Xiao said he is concerned that he so quickly accessed very sensitive information using what he considers "a low-grade hack." If he could do it, he reasoned, plenty of other people might have done so as well.

Xiao has more than a little expertise in cybersecurity. He belongs to the Plaid Parliament of Pwning (PPP) — CMU's famed hacking team — which has won more DEFCON Capture the Flag competitions than any other institution. Last summer he captained the winning team at the Cambridge2Cambridge cybersecurity competition at the University of Cambridge. He will join the University of British Columbia in January as an assistant professor of computer science .

He visited the LocationSmart site following several recent news stories about unauthorized access of mobile phone locations. A May 10 New York Times story broke the news that Securus, a company that provides and monitors phone calls for prison inmates, had been tracking people's cellphones without authorization for a Missouri sheriff. A May 15 story on ZDNet noted that LocationSmart was the intermediary that provided the location data to Securus.

Companies such as LocationSmart work cooperatively with telecom companies to provide locations of cell phones for such purposes as tracking deliveries or remote workers. Rather than GPS coordinates, the service provides the address of the nearest cell phone tower. In all cases, cell phone users are supposed to be informed of or give their consent for such tracking.

LocationSmart Founder and CEO Mario Proietti told the KrebsonSecurity blog that the company is investigating the security breach.

"People get breached all of the time," Xiao said, and it's possible he was lucky in his attempts. But Xiao nevertheless is troubled that telecom companies provide such sensitive data to vendors and that more care isn't taken to protect it.

KrebsOnSecurity reported that none of the major carriers would confirm or deny a relationship with LocationSmart, and all emphasized that geo-location information is provided only with customer consent or in response to a court order.

 

Byron Spice | 412-268-9068 | bspice@cs.cmu.edu