FCC to Investigate US Mobile Phone Location-Revealing FlawSenator Urges US Communications Regulator to Expand Inquiry
Following a report that a website flaw could have been easily exploited to track the location of cellular phone users throughout the country, the U.S. Federal Communications Commission has referred the matter to its enforcement bureau for investigation.
The error involved the website of LocationSmart, which tracks and sells the location of mobile phone users. The flaw could have been exploited to track any user of a mobile device registered via a major U.S. cellular carrier in real time with an accuracy that appears to vary from 100 yards to 1.5 miles (see Real-Time Mobile Phone Location Tracking: Questions Mount).
Sen. Ron Wyden, D-Oregon, who last week called on FCC Chairman Ajit Pai to investigate location tracking services, praised the move to investigate. "I'm pleased the FCC is opening an investigation into the reported data leak by LocationSmart," he said. But he also called on the FCC to "expand the scope of this investigation."
The FCC didn't immediately respond to a request for comment.
LocationSmart Fixes API Flaw
LocationSmart reportedly obtains location data from all of the major U.S. wireless carriers and then sells it to marketing firms and other companies.
On Friday, the Carlsbad, California-based company told Information Security Media Group that it had fixed the flaw, which involved an application programming interface error in its website.
The flaw in the company's online demonstration site was discovered by Robert Xiao, a cybersecurity researcher, who also alerted cybersecurity blogger Brian Krebs.
LocationSmart said it immediately disabled the demo site and launched an investigation, noting that Xiao appears to be the only individual aware of the flaw before it was fixed. "We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission," Brenda Schafer, a spokeswoman for LocationSmart, told ISMG.
LocationSmart has been in the news in recent days since ZDNet reported that the company supplied data to Securus Technologies, a prison technology provider which itself has been in the news after The New York Times reported that the site was allegedly abused by a former Missouri sheriff to track judges and law enforcement agents.
On Wednesday, meanwhile, Motherboard reported that a hacker appeared to have breached Securus, stolen data - including for law enforcement users - and released a spreadsheet with purloined information that "includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year."
LocationSmart, to 3cinteractive, to Securus
Wyden said his office learned last week that Securus Technologies had been allowing users - including prison guards and sheriffs - to access location information without first ensuring that they had a valid court order to do so.
Securus said it obtained its location data from 3cinteractive, a self-described mobile marketing company based in Boca Raton, Florida, which says it obtained the location data from LocationSmart, according to Wyden's office.
Such information could have posed a risk to the privacy and physical safety of mobile phone users, Wyden warned. "A hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child's cell phone to know when they were alone," Wyden said via Twitter.
But Wyden also called on the FCC to expand its investigation and "more broadly probe the practice of third parties buying real-time location data on Americans."
Wyden added: "The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans' privacy and safety," he added.
Conflict of Interest
The senator also called on FCC chairman Pai to recuse himself from any investigation due to a conflict of interest, noting that Pai represented Securus Technologies as an attorney in 2012, when he served as a partner at the law firm of Jenner & Block, LLP, just before he began the confirmation process to serve as the FCC chairman in May 2012.
"Chairman Pai's past work for Securus makes it untenable for Mr. Pai to lead this investigation," Wyden said. "I call on Mr. Pai to do the responsible thing and recuse himself from the investigation."