A company that aggregates data about the location of U.S. mobile devices in real-time was found to have leaked the information — data which tracked every user of the four major mobile carriers in the country — through its website, according to a recent report.
The company, LocationSmart, leaked the information through its own website, according to KrebsOnSecurity. A “buggy component” on the site allowed access to this data “without the need for any password or other form of authentication or authorization.”
The discovery was made by Carnegie Mellon security researcher Robert Xiao, who found he could lookup mobile numbers through a LocationSmart demo tool which was available on the company’s site, with no credentials required.
LocationSmart reportedly took its service offline after KrebsOnSecurity contacted the company last week. The service “could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.”
Though the service, which used cell phone towers to track phones, is not as exact as GPS tracking, it was able to track users within 1.5 miles all the way down to 100 yards of an exact location, Xiao’s testing showed.
Third Party Troubles
There’s an obvious question mobile users could rightfully ask: why does this company have my location data, anyway? While the Krebs report notes that, “none of the major carriers would confirm or deny a formal business relationship with LocationSmart,” ZDNet claims that these cell carriers “are selling access to your real-time phone location data.”
Whatever the relationship of LocationSmart and your mobile carriers may be, there’s no denying that third-party access to any of your data weakens privacy — the more companies that have access to your data, the more possibilities there are for leaks and hacks. We’ve seen it before — recently on Facebook, for instance — and we’ll certainly see it again.
The only way to solve these issues are stronger consumer laws. These laws must clarify what portions of user data companies can share with each other, and those limits should be acceptable to customers. Otherwise, these incidents may only get worse.