FLAW GIVES HACKERS ABILITY TO PINPOINT CELLPHONE USERS
A California company confirmed that a flaw in its website allowed outsiders to pinpoint the location of mobile phones in the United States without authorization.
But LocationSmart, which gathers realtime data on cellular wireless devices, says it has no evidence that anyone exploited the vulnerability beforeMay 16, when a security researcher at Carnegie Mellon discovered it.
Brenda Schafer, a LocationSmart vice president, said via email Friday that the company is still seeking to verify that no location data was accessed without individual subscribers’ consent. She did not respond to questions about LocationSmart’s business practices or how long the flaw had existed.
Privacy advocates say the case is the latest to underscore how easily wireless carriers can share or sell consumers’ geolocation information without their consent. The LocationSmart flaw was first reported by independent journalist Brian Krebs.
LocationSmart operates in a little- known business sector that provides data to companies for such uses as tracking employees and texting e- coupons to customers near relevant stores. Among the customers Location Smart identifies on its website are the American Automobile Association, FedEx and the insurance carrier Allstate.
The New York Times reported this month that a firm called Securus Technologies provided location data on mobile customers to a former Missouri sheriff accused of using the data to track people without a court order. On Wednesday, Motherboard reported that Securus’ servers had been breached by a hacker who stole user data that mostly belonged to law enforcement officials.
Securus may have obtained its location data indirectly from Location Smart. Securus officials told the office of Sen. Ron Wyden, an Oregon Democrat, that they obtained the data from a company called 3C interative, said Wyden spokesman Keith Chu. Location Smart lists 3Cinteractive among its customers on its website.
Wyden said the Location Smart and Securus cases underscore the “limitless dangers” Americans face due to the absence of federal regulation on geolocation data.