LocationSmart claimed that it could locate any phone in the United States, and now it is being investigated after a security researcher exposed a security vulnerability on its website. As a result, the Federal Communications Comission (FCC) has started an investigation against the California-based company.
More about LocationSmart
LocationSmart’s service is able to obtain accurate geolocation data on nearly any mobile phone in the US. To be able to do so, the website buys data from major US wireless carriers such as T-Mobile, Verizon, AT&T and Sprint. Though wireless carriers aren’t allowed to provide location data to the government, they can sell that data to businesses, CNET recently explained.
The vulnerability within the phone-tracking website LocationSmart could have been easily exploited to track any user of a mobile device registered via a major U.S. cellular carrier, in real time, with a quite precise accuracy.
LocationSmart featured a free demonstration on its website, where anyone could track any phone, as long as there was consent from the phone’s owner. The flaw, which is already addressed, would have allowed anyone to use the tracking feature, without the need of prior consent.
Researcher Robert Xiao claims that he needed less than 15 minutes to uncover the vulnerability, after having a look at LocationSmart’s offivial website. Considering how easy it was for him to find the bug, the classified it as an elementary exploit. The vulnerability then incited an FCC investigation, with the Enforcement Bureau leading the process.
On top of that, the Ney York Times recently revealed that Securus, an inmate call tracking service, offered the same tracking service. These two events pushed Sen. Ron Wyden, a Democrat from Oregon, demanded the FCC and major wireless carriers to investigate these companies.
“The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk,” Wyden said. “I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans.”
In addition, LocationSmart said in a statement that it was investigating the flaw to make sure that no customer information was stolen or compromised.
“LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist,” explained Brenda Schafer, LocationSmart’s vice president of product and marketing.