A researcher at Carnegie Mellon University and member of its elite hacking team exposed a bug in a cellphone tracking service that allowed him — and potentially countless others — to track Americans in real time using their cell signals.
Robert Xiao said he “stumbled” on the hack after visiting the website of LocationSmart this week to check the company's security measures.
The hack took just 15 minutes, Xiao said. After finding the bug, Xiao was able to track anyone.
“If I knew your 10-digit phone number, I could type it in, and I could track you in real time,” Xiao told the Tribune-Review on Friday. “I can watch you moving around. I can watch you driving around. I can watch you going to work and leaving from work.”
Xiao said the implications of what he found hit him hard. It was frightening. Anyone could track anyone. An adversary of the United States, a state actor like Russia or North Korea, could track the movements of any American with a cellphone or those of top military advisors or troops. His heart was racing when he discovered it.
“It felt sort of surreal,” Xiao said, describing a “humungously sinking feeling.”
LocationSmart has fixed the bug in the online demo that Xiao used and took the demo offline, Brenda Schaffer, vice president of product and marketing, wrote in an email to the Tribune-Review. Schaffer said the company has confirmed that no one else exploited the bug and it did not result in any customer information being obtained without consent.
“LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process,” Schaffer wrote.
LocationSmart is based in Carlsbad, Calif. The company uses cellphone location data from cellphone service providers to locate “15 billion devices anywhere in the world, for any location need,” according to its website. The company claims it helps businesses track workers and assets.
The public demo Xiao exploited was meant to show off LocationSmart's tracking service. A person using the demo could request to track a phone number. That phone number would then be notified that someone wished to track it, and the owner of the phone number would give consent to be tracked for the purpose of the demo. Xiao dug into the demo's code a little bit, found a way to bypass the consent part, and had what he called “the ultimate tracking tool.”
Xiao became interested in LocationSmart when the company landed in the news for its connection to Securus, a company that monitors calls to U.S. prison inmates. Reporting by The New York Times uncovered that a former Missouri sheriff used Securus to track people's cellphones , including other officers.
When the Federal Communications Commission demanded to know how Securus obtained cellphone location data, the company revealed that it got it through LocationSmart, according to a story on ZDNet . LocationSmart claims to have “direct connections” to all major U.S. cellphone providers including AT&T, Verizon, T-Mobile and Sprint.
The ZDNet story prompted Xiao to take a look at LocationSmart.
“I wonder if they are securing customers data?” Xiao said he thought after reading the story. “Because this is pretty frightening stuff already.
“Within 15 minutes I had my answer, and the answer was no.”
Xiao is a Ph.D. candidate at CMU's Human-Computer Interaction Institute where he studies how humans and computers interact. He recently worked on a project that used a smartwatch to turn your arm into a trackpad.
That's his day job, he said. For fun, Xiao dabbles in security research, essentially a euphemism for white-hat hacking. Xiao didn't hack LocationSmart with any malicious intent. He did so to see if his personal data, and everyone else's, was secured.
Xiao is a member of CMU's Plaid Parliament of Pwning hacking team. The team has won more DEFCON Capture the Flag competitions than any other team . They are some of the best hackers in the world working for good, not evil.
Xiao said a complex hack sometimes takes eight to 12 hours to put together and execute. It took him 15 minutes to expose the vulnerability at LocationSmart. He said the hacking team runs competitions for high school students.
“It's not completely unlike the challenges we ask them to do,” Xiao said. “We've had some very bright high school students solve problems harder than this.”
Xiao is leaving CMU this year and will start as an assistant professor of computer science at the University of British Columbia in January. The LocationSmart bug is the biggest he's ever discovered. He hopes it's the biggest he ever discovers.
“But there are probably even worse bugs out there,” Xiao said.
Xiao discovered the bug Wednesday. Once Xiao figured out what he had found, he tested it on a few friends and colleagues — with their consent — to make sure he really had found a way to track people's cellphones. He said he asked a friend in Hawaii for permission and watched that friend move about the island.
Xiao then notified US-CERT, the United States Computer Emergency Readiness Team. US-CERT, a division of the Department of Homeland Security, worked with Xiao to properly and safely disclose the vulnerability. Xiao said caution here is important. People need to know that their data was compromised, but people don't need to know how to compromise it until the vulnerability is fixed.
Xiao never spoke to LocationSmart directly. He hasn't heard from the company since.
When the demo was taken down and Xiao felt it safe to make his discovery public, he contacted Brian Krebs, an security researcher and reporter. Krebs broke the story on his website Thursday.
Xiao said he decided to make his breach at LocationSmart public in part to start a larger discussion about the security surrounding data like cellphone locations.
“I just got access to everyone's location,” Xiao said. “I shouldn't be able to do that in a sane world.
“No company should be able to be that cavalier with this type of information.”
Aaron Aupperlee is a Tribune-Review staff writer. Reach him at firstname.lastname@example.org, 412-336-8448 or via Twitter @tinynotebook.