Robert Xiao, a digital security specialist from the Carnegie Mellon University, discovered a bug during the study of the new software tool from the LocationSmart company, which could lead to a colossal leak of confidential data. The scandal can erupt serious – an honest hacker de facto showed that the operators of communication in pursuit of profit went to the crime and began to trade personal data of their customers.
The application from LocationSmart, which turned out to be in the center of the scandal, allows for indirect data to determine the location of the phone with the SIM card of each of the four leading US telecom operators: AT & T, Sprint, T-Mobile and Verizon. The calculation is kept secret from the owner of the phone, based on passive analysis of data from cell towers and transponders. To send a request, you need to be authorized – the application is intended for a narrow category of persons.
Xiao took advantage of the demo version from the LocationSmart site, studied the structure of Web requests and intercepted the management, having managed to bypass the authorization procedure. After that he conducted a dozen experiments to determine the location of the phones of his acquaintances with their consent – the accuracy was from 100 to 500 m. And nobody bothered about anything until the researcher himself revealed the description of the vulnerability and his actions.
This happened just a few days after the scandal with the tool Securus from the same LocationSmart, which allowed hacking thousands of accounts with weak passwords. And the real problem is not that both software tools were vulnerable to hacking by third parties. Specialists and some US senators directly blamed IT companies and telecom operators for conspiracy, because they purposefully create software for trading confidential data of their customers. It’s one thing to monitor the location of the phone in the interests of the 911 service, and quite another – to sell them to the side through the convenient interface of the commercial application.
So far, none of the leading US telecom operators has commented on these charges.