Whether stolen or accidentally leaked, the location data of mobile phone customers has been making headlines for much of May. The latest announcement came yesterday from KrebsOnSecurity, with news that a bug in the website of US-based tracking firm LocationSmart was leaking real-time location information of mobile phone customers.
What is known is that the vulnerability was discovered in a free demo tool available on LocationSmart’s website and was revealing to virtually anyone who wanted it the general whereabouts for customers of AT&T, Sprint, T-Mobile, and Verizon.
After KrebsOnSecurity verified the tool was leaking information "without the need for any password or other form of authentication or authorization," LocationSmart took the service offline.
However, in an email to Infosecurity Magazine, LocationSmart confirmed that Carnegie Mellon University security researcher Robert Xiao was only able to locate the subscribers by personally obtaining their consent.
With its enterprise mobility platform, LocationSmart said it strives to bring secure operational efficiencies to customers. "All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber."
Tim Erlin, VP of product management and strategy at Tripwire, said that the increased connectivity and access that we gain comes at a price. “Connections go both ways. Consent and comprehension aren’t the same thing. Consumers routinely consent to sharing data without understanding what that really means. "
"LocationSmart’s service was vulnerable to abuse, and those types of errors occur. The surprise isn’t about a vulnerable service but about the content of that service. No one wants to imagine that they can be tracked without cause.”
The email from LocationSmart also confirmed that it has disabled the vulnerability in the consent mechanism of its online demo identified by the researcher.
"We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability," LocationSmart wrote.
The company said it is continuing its efforts to verify that no subscriber’s location was accessed without their consent and that no other vulnerabilities exist. "LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process," the company wrote.