Carnegie Mellon University

Image of Robert Xiao

May 18, 2018

CMU Student Discovers Website Leaking Locations of Phone Customers

By Byron Spice

Byron Spice
  • School of Computer Science
  • 412-268-9068

Some cybersleuthing by Robert Xiao, a Ph.D. student in Carnegie Mellon University's Human-Computer Interaction Institute, uncovered a security vulnerability on the website of LocationSmart, a Carlsbad, California, company that provides a service for identifying the real-time location of mobile phones in the United States and Canada.

Though the service routinely requires customer approval before it reveals any phone's location, Xiao was able to access anyone's phone location after only about 15 minutes of exploration of the site on May 16, without getting any individual's permission.

"I actually couldn't believe my eyes," Xiao said. "I shouldn't be able to type in anybody's phone number and find out where they are."

Xiao reported the vulnerability through the CERT Coordination Center on May 16, notified the Federal Trade Commission on the morning of May 17, and within a few hours, the site was taken down. The FTC announced today that it will investigate. But Xiao said he is concerned that he was able to quickly access very sensitive information using what he considers "a low-grade hack." If he could do it, he reasoned, plenty of other people might have done so as well.

Xiao has more than a little expertise in cybersecurity. He is a member of the Plaid Parliament of Pwning (PPP), CMU's famed hacking team, which has won more DEFCON Capture the Flag competitions than any other institution. Last summer he captained the winning team at the Cambridge2Cambridge cybersecurity competition at the University of Cambridge. He will join the University of British Columbia in January as an assistant professor of computer science.

He visited the LocationSmart site following several recent news stories about unauthorized access of mobile phone locations. A May 10 New York Times story broke the news that Securus, a company that provides and monitors phone calls for prison inmates, had been tracking people's cellphones, without authorization, for a Missouri sheriff. A May 15 story on ZDNet noted that LocationSmart was the intermediary that provided the location data to Securus.

Companies such as LocationSmart work cooperatively with telecom companies to provide locations of cellphones for such purposes as tracking deliveries or keeping track of remote workers. Rather than GPS coordinates, the service provides the address of the nearest cellphone tower. In all cases, cellphone users are supposed to be informed of or to have given their consent for such tracking.

LocationSmart Founder and CEO Mario Proietti told the KrebsonSecurity blog that the company is investigating the security breach.

"People get breached all of the time," Xiao said, and it's possible he was lucky in his attempts. But Xiao nevertheless is troubled that such sensitive data is provided to vendors by the telecom companies and that more care isn't taken to protect it.

KrebsOnSecurity reported that none of the major carriers would confirm or deny a relationship with LocationSmart and all emphasized that geolocation information is provided only with customer consent or in response to a court order.