Content, Breach

Millions of Mobile Users’ Geo-location Data at Risk in Tracking Scheme

You don’t have to look too far to find yet another scandal in which your digital privacy has been sold away without your knowledge or permission in the name of profit.

Right on the heels of the Facebook Cambridge Analytica mess, we have word that telecom giants AT&T, Sprint, T-Mobile and Verizon are peddling your real time location tracking info to third-parties that are repackaging it to their customers as geolocation services. If you’re looking for data aggregators such as the Dallas, TX-based Securus Technologies and the Carlsbad, CA-headquartered LocationSmart to safeguard your privacy, you’ve got a long wait ahead of you. (More on LocationSmart in a minute).

The New York Times has reported that the carriers, which collect real-time location tracking data on every mobile device user -- even without your GPS turned on -- are sharing your personal information, in one form or another, with Securus and others, in some cases supplied through yet another third-party. These adjunct entities use your location data without your consent or sufficient lock-downs for their own financial gain.

While real-time location data is commonly used to market products to potential customers on the fly, its use now extends farther. Law enforcement, for example, is relying on the information to monitor the communications of inmates, the NYT reported. And, in a particular egregious instance, a sheriff in Missouri, now up on state and federal charges, allegedly used the Securus service to follow other police officers and a judge without a warrant.

Location Privacy?

LocationSmart, which bills itself as a location-as-a-service provider, has as its foundation what appears to be a symbiotic relationship with the carriers that enables it to offer real-time location data on virtually anyone at any time using multiple telecoms’ cell towers, provided that person gives his or her consent via text message. But, as a recent event showed, the sanctity of mobile users’ data isn’t as secure as advertised. KrebsOnSecurity reported last week that a researcher at Carnegie Mellon University discovered a bug in the site that allowed anyone to stealthily track another person’s location without consent.

"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, told ZDNet. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."

Ultimately, LocationSmart acknowledged the bug and pulled the free try-before-you-buy feature from its website. Still, the point remains: Your personal data is anything but secure the farther it gets passed down the line to third parties. A hacker exploiting the demo service could easily have uncovered the exact location of AT&T, Sprint, T-Mobile and Verizon customers in the entire U.S.

More Cause for Concern

There’s more to this spider web: Last week, Motherboard reported that Securus itself had been hacked. Once inside Securus’ servers, the hackers found nearly 3,000 user names, email addresses, phone numbers, hashed passwords and security questions mostly belonging to law enforcement offers, dating back seven years, Motherboard reported. The hacker subsequently provided Motherboard with some of the stolen data. Users listed in the files included sheriff departments, local counties, and city law enforcement from a number of U.S. cities, including Indianapolis, Minneapolis and Phoenix, the report said. Securus has said it is investigating the burglary.

The break-in itself, by data breach standards, is fairly run-of-the-mill in its size and the types of material pilfered. Still, it’s a clear example of how your data isn’t nearly as secure as either the carriers or the third-parties want you to believe. In this case, it’s only the privacy of millions of mobile phone users Securus isn't adequately bolting down.

“Securus was enabling tracking without a warrant and allowing users of their system to claim authority to do so without checking it. That’s a problem,” Andrew Crocker, staff attorney at campaign group the Electronic Frontier Foundation told Motherboard. “A concern with any system is if it’s not limited to authorized users who have the authority to engage in surveillance, then it’s doubly problematic.”

Securus has also drawn the attention of Ron Wyden (D-OR), who has called on the wireless carriers to stop sharing your location data with third parties. Here’s what Wyden said in a statement to ZDNet:

" leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans' security," he said. "It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone," he said. "If the FCC refuses to act after this revelation then future crimes against Americans will be the commissioners' heads," he said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.