Website Bug Enables Anyone to Track US Phones Without Permission

Last week US senator John Wyden issued a formal complaint to the FFC about a phone tracking system. Worryingly, a second more terrifying tracking service has surfaced.

It is called LocationSmart, and it is a phone tracking service that can pinpoint the location of mobile phones connected to carrier networks belonging to Verizon, AT&T, Sprint, and T-Mobile.

Brian Krebs, a security researcher, has revealed that a bug exists in the service.

The free to use API had been allowing anyone with basic coding knowledge to track almost every cell phone in the US.

Location Tracking Demo

The technology was intended to check the location of one’s phone through an SMS message asking the user’s authorization to approximate their phone’s position using mobile tower triangulation.

But, a researcher at Carnegie Mellon University found a way to bypass the SMS authorization process. The online demo tool did the trick.

Easily Exploitable

Robert Xiao from Carnegie Mellon’s  Human-Computer Interaction Institute said he found the bug by chance. In his detailed blog about the virus, he explained just how easy it was to bypass the SMS security check.

Mario Proietti, the CEO of LocationSmart, said the firm would launch an investigation regarding this. The demo tool is no longer available on their website. The CEO said the API was made available for “legitimate and authorized purposes” only.

Legal Conundrum

Krebs claims that it is imaginable the demo was available since 2011 for exploitation, and definitely since January 2017.

Krebs said: “A third-party firm leaking customer location information not only would almost certainly violate each mobile providers own stated privacy policies, but the real-time exposure of this data poses serious privacy and security risks for virtually all U.S. mobile customers.”

The decision from FCC’s investigation is yet to come, but it’s certain this case will not go down meekly.

 

UK Police Reportedly Accessing Phone Records Unlawfully

Privacy International sent a formal complaint against UK’s police forces highly invasive “mobile phone extraction technology.”

In the complaint made to the Information Commissioners Office, the group reports that UK authorities have been accessing the contents of people’s phones unauthorized as in without a warrant. It has also been forwarded to the Home Office and the Independent Office for Police Conduct.

PI in the complaint called for reforms by claiming the practices are “totally unregulated, potentially discriminatory and unlawful.”

Data Mining

Millie Graham Wood, working for Privacy International as an attorney has claimed UK’s police is using Israeli firm’s Cellebrite to download data directly from phones without owner’s knowing it.

Easily Recoverable

Wood claims to have tested the Cellebrite UFED Touch 2 device and that it connects directly to the phone from which it gathers data. He further added that the Cellebrite device was even able to tie back together previously deleted messages from WhatsApp which is an encrypted messaging app.