
LocationSmart Leaked Location Data for All Major U.S. Carriers in Real Time - uptown
https://www.robertxiao.ca/hacking/locationsmart/
======
mysterypie
Oh, man, what a missed opportunity to make the average Joe Sixpack become
aware of cellphone tracking and surveillance. If the researcher had queried
every single cellphone number in the United States (for as long as the API
kept working) and then published the location of every cellphone in the USA,
then laymen might care. When someone can query the list and see his _own_
personal information being broadcast, they will understand. When they can look
up any cellphone and pinpoint the location of their wife, husband, girlfriend,
boyfriend, boss, children, or neighbor, they might get an inkling that privacy
isn't such a stupid thing to worry about.

I guarantee that by next week, this whole thing will be forgotten and nothing
will have changed because privacy and surveillance are too abstract for most
people -- they need to _see_ all their personal information that's being
collected. I admire the researcher's integrity for exposing it the right way
(reporting it to CERT and the company itself), but going full Snowden would
have had so much more impact on getting better privacy-preserving laws and
technology.

~~~
neuralk
If the researcher had done that -- queried every cellphone and published it --
I fully expect they'd receive the same treatment from law enforcement that
weev and Aaron Swartz got, if not worse

~~~
tajen
Given the enforcement served to whistleblowers, I’d be ok if they took
financial benefit from leaks:

Auction leaked data to foreign intelligence or companies, then make the price
known. We’ve been warned enough times. That’s the only way Americans will put
a price on privacy, and fines for unsecured systems will climb through the
roof, with wilful enforcement by both companies and customers. And the
whistleblower gets paid, better than rotting in Russia for years.

~~~
tuxxy
That's a great way to end up on espionage charges.

------
nneonneo
Hi all, I'm the researcher who found the bug. I started looking at it after I
saw the earlier HN posting about Securus and LocationSmart.

Happy to answer questions and provide any additional context.

~~~
chx
I have a half off topic question: how are you doing this in light of the CFAA
and what happened to Aaron? I truly wonder.

~~~
nneonneo
I discovered the bug yesterday, followed responsible disclosure with US CERT
(based at CMU, so we got things moving very quickly there), and the bug is now
fixed.

If the CFAA bars legitimate security research like this, then we would all be
truly fucked.

~~~
apetresc
Wait, _yesterday_? And the fix is already deployed to production today? That's
either some truly impressive engineering from a company that made a freshman-
year-level security mistake, or whatever patch they put in place to fix this
is just as leaky as the original bugged version and it's just a matter of
time.

~~~
gowld
Theory: Devops disabled the security flag on the JSON API, in order to perform
integration tests, then didn't enabled it until reminded.

~~~
zodPod
This for sure! My theory has also been that it's possible they literally just
needed to add "if (subscriptionApproved) {" to the top. Not exactly a ton of
code!

------
ucaetano
> LocationSmart’s home page features the corporate logos of all four the major
> wireless providers, as well as companies like Google, Neustar, ThreatMetrix,
> and U.S. Cellular.

Funny how they removed the corporate logos they had on their website from
yesterday to today:

Yesterday:
[http://web.archive.org/web/20180516060611/https://www.locati...](http://web.archive.org/web/20180516060611/https://www.locationsmart.com/)

Today: [https://www.locationsmart.com/](https://www.locationsmart.com/)

~~~
hadrien01
All the images still exist on their website:

[https://www.locationsmart.com/cms/resources/](https://www.locationsmart.com/cms/resources/)

Look for 't-mobile' or 'verizon'

~~~
jessaustin
It seems less and less likely that this firm has ever hired any knowledgeable
security person...

~~~
yorwba
I think this image symbolizes their approach to security very well:
[https://www.locationsmart.com/cms/resources/privacysecurity....](https://www.locationsmart.com/cms/resources/privacysecurity.png)

Just put a lock on top, even if it's not actually securing anything.

------
nneonneo
I have now published a writeup here:
[https://www.robertxiao.ca/hacking/locationsmart/](https://www.robertxiao.ca/hacking/locationsmart/)

Hopefully this answers some of the technical questions about the exploit :)

~~~
fixermark
Excellent writeup, and thank you for both sharing the details and summarizing
the relevant context.

------
gcbw2
What honest purposed TelCos would have to even sell this data?

all of them replied saying "we will cut clients not following the program
guidelines"... what are those guidelines?! and why is that arbitrary for the
companies to decide, and not mentioned anywhere on the consumer agreements
other than some vague "we may share your data with whoever"?

This sounds like Cambridge Analytic for TelCos.

~~~
monort
Maybe they even don't sell the data, it's a vulnerability of SS7 protocol.

[https://www.ptsecurity.com/upload/iblock/8c0/8c065c70984c93d...](https://www.ptsecurity.com/upload/iblock/8c0/8c065c70984c93d3001234ed6e6d865b.pdf)

~~~
nneonneo
The telcos are almost certainly selling it. Verizon used to have a page noting
that LocationSmart was a "Network API Partner":
[https://archive.li/tCLrd](https://archive.li/tCLrd)

------
state_less
This sort of mass tracking shouldn't exist and it certainly should be illegal
to sell this data. Anyone who is capable of tracking (e.g. satellite
companies, cell companies, etc...) should be required to immediately report
any request to access this sort of data. If it's a government, force them to
publicly give reason and use that to scope the investigation. Our technology
makes this possible, our culture doesn't have to.

~~~
bitexploder
Technically you have to explicitly opt in. But software has bugs, sometimes
trivial ones.

~~~
kridsdale1
Also you can bet your ass NSA has a feed

~~~
bitexploder
They have first class access that makes what LocationSmart has look like a
toy.

------
JumpCrisscross
I certainly don't encourage it, not least because it's illegal, but there is
only one way I see this getting fixed. Someone publishing the location data of
members of Congress and federal agencies' heads,revealing sensitive
information, _e.g._ an undisclosed meeting or repeated visits to an unexpected
embassy or overnight stays with a young, good-looking aide.

~~~
jacquesm
Why would the aide have to be good looking or young?

~~~
LeoPanthera
It's shallow, but it makes better PR when you're trying to scandalize middle
America.

~~~
gowld
Affairs with older, ugly people are well scandalized.

------
pasbesoin
We are going to have to look hard at contract law versus the Constitution and
its amendments.

All sort of contractual gags that keep people from commenting on bad and
sometimes malicious behavior. Because it's the only way to get the job they're
trained for, etc.

Companies insisting on the contractual right -- in small and seldom-read print
buried within a sea of other print, for an "everyday" purchase -- to
essentially violate the 4th Amendment (I'm thinking; maybe I've got that
wrong) against unreasonable search and seizure. I guess that right was
targeted against the government, but it seems it should apply to these
government-size corporations and multi-nationals, as well. Selling us what has
become an essential service; try living most people's lives in the U.S.
without a cell phone.

And hey, we know governments are making use of those data, as well. A typical
government ploy; purchase data from a private, third party that the government
is not allowed to directly collect, itself. Sorry, that "scrubbing"
indirection shouldn't disqualify it from constitutional protections.

Divide and conquer. Whereas solidarity actually requires some privacy and
wiggle room, to function effectively and autonomously in the real world.

~~~
ellius
You already hit this point but: the Constitution, and especially the Bill of
Rights, is about defining a legal structure of government. We can all agree
that privacy is a "universal right," but neither history nor legal precedent
supports that interpretation unequivocally (even with regard to the government
specifically; you can read some really interesting Constitutional history
about the "right to privacy" and how it arose as a concept in the late 1800s;
Brandeis's "The Right to Privacy" is a fascinating historical document"). The
only true remedy to this problem is laws enacted by Congress. We need to stop
talking about this in a wishy-washy idealistic way and start talking about
realistic, precise, and legal solutions, which means enacting specific laws.

~~~
duncan_bayne
This is an outsider's perspective (I'm Australian) but it seems as though more
and more is being done through Executive Orders - the Korean War, the EPA,
Obamacare - instead of through proper channels.

As far as I can tell, this is because Constitutional amendments are _hard_ to
enact (in the case of the EPA and Obamacare) and for reasons I don't
understand, Congress doesn't seem to want to declare war any more.

Is that a fair assessment, or am I getting only part of the picture?

~~~
ellius
Sure, but those aren't the only two options. You can just pass normal laws.
They don't have to be amendments. That's also difficult, though, due to the
extreme partisanship in our political environment, but it's theoretically the
fitting solution.

~~~
duncan_bayne
My understanding was that at least some of those - Obamacare and the EPA -
required either an Executive Order or a Constitutional amendment, because the
powers required were not granted to the Federal Government by the
Constitution.

Agreed that declarations of war can just be declarations of war, no amendments
required. It strikes me as odd that Congresscritters would be okay invading a
country, but not okay with declaring war against them.

~~~
thoth
US Agencies don't need a Constitutional Amendment to come into existence - the
usual method is simply a law that Congress passes that the President then
signs. E.g. Dept of Energy, Dept of Education, Dept of Homeland Security, Dept
of Housing and Urban Development, etc. going way back to the Dept of Foreign
Affairs (precursor to Dept of State).

Obamacare (Patient Protection and Affordable Care Act) was also created by
Congress - bill passed in both houses, signed by the President, upheld by the
Supreme Court. That's basically a textbook example of how the system is
supposed to work.

I'm not sure why the EPA (and others, like FEMA) were created by Executive
Order instead.

As far as why Congress hasn't declared war since WW2, they've basically rolled
up their say into the War Powers Act and the War Powers Resolution which
provides for them being informed and issuing continuing approvals. They can
then support the President (as Commander in Chief) but not officially declare
war.

~~~
duncan_bayne
My understanding was that the IRS was directed to enact Obamacare by Executive
Order, because they (the Federal Government) have no Constitutional mandate in
that area. Same with the EPA.

------
zizek23
You don't wake up suddenly in a totalitarian state. Total surveillance is one
step away and once the infrastructure is in place it will be used. Commitment
to basic values of privacy and human rights has been reduced to posturing
against others and denial about what is happening at home.

Untill there are proper protests and pushback the creep will continue and the
useful idiots and the ignorant will continue to muddy the waters and dilute
the threat only to slink back into the woodwork once the real consequences
become visible.

And with all encompassing surveillance even organizing protests and dissent
will become difficult without the kind of sacrifices most people are unwilling
to make. Just today there is story of a guy getting a knock on the door from
the police [1] a few hours after posting about eating mushrooms on facebook.

[1] [https://munchies.vice.com/en_uk/article/gykbe3/cops-show-
up-...](https://munchies.vice.com/en_uk/article/gykbe3/cops-show-up-at-
foragers-door-after-mistaking-morels-in-facebook-post-for-shrooms)

------
codedokode
The question is why cell carriers provide data on users' location without
their consent. I don't understand how this can even be legal.

It is the same thing as if a bank would sell their customers' bank card
numbers and SSNs.

~~~
bitexploder
It is supposed to only occur with explicit user consent. You have to opt in.
That is kind of the whole point of this thread. The researcher, who has been
active in this thread, found a way to bypass the consent feature.

~~~
ironjunkie
Wait,

Do we need to opt-in with our Carrier, or with LocationSmart?

The first one would make more sense than the second.

What is going on here doesn't make any sense. Basically the carriers give
access to the data of EVERYONE and the latest link of the chain is the one
supposed to check the "opt-in"? Meaning everyone on the chain in between got
access ?

~~~
bitexploder
Carrier. LocationSmart must respect user preference from carrier. It is the
carrier/consumers data, ultimately, so it is between the consumer and the
carrier. LocationSmart is down stream and must respect the privacy wishes of
the consumer/carrier. There are two layers of problems here. (1) carrier could
just /never/ provide data to LS if user did not opt in. (2) LS could not have
terrible bugs. Problem (1) is hard. So carriers just give companies like LS
full access to location data long with the users preferences and LS agrees to
respect users wishes.

I think the carriers carry way more blame in this whole thing than people are
acknowledging in this whole thread. Users that didn't opt in are still having
their data made available to these third parties cause it's easier to
implement. It reminds me of the legal fiction the NSA uses. They collect ALL
the data / traffic. But they can only ACCESSS the data with a warrant. In this
case the virtual firewall leaks horribly between the carrier and LS and the
incentive to make it strong does not exist. Totally different situation but
the parallels are there.

------
discussedbefore
Related discussions over the past week-ish:

US cell carriers are selling access to real-time phone location data
[https://news.ycombinator.com/item?id=17081684](https://news.ycombinator.com/item?id=17081684)
[https://news.ycombinator.com/item?id=17069459](https://news.ycombinator.com/item?id=17069459)

Service Meant to Monitor Inmates’ Calls Could Track You, Too
[https://news.ycombinator.com/item?id=17046632](https://news.ycombinator.com/item?id=17046632)

------
klik1
Posting under an alternative account for obvious reasons.

Bad API's used in IoT are a huge vector for attack and too few companies in
the mobile first world have a bug bounty program. I found a similar problem
with an API for an app that comes default installed on most android phones
I've purchased (think smart phone as a TV remote). I reported it and got no
response. Their homepage claims the app is being used for 10's of millions of
smart devices like A/C, TV's, Fridges, Microwaves, etc. The vulnerability
allowed full account access.

~~~
djsumdog
If you've made every attempt at responsible disclosure and have gotten no
response, it's probably more irresponsible to not do a full post on it.

Then again, that of course gets into murky water and it's best to at least try
to get legal council or work with a responsible disclosure website. IANAL.

~~~
klik1
the gist of the vulnerability was an expectation that nobody would ever find
their origins if they had some crazy hostname:

"asuhdfo8a7ys8dfas.website.com" type of setup. In front of this origin they
had a server that did auth and auth only. If your auth worked at the edge, the
request was sent to origin. The problem is I found a specific input that
caused an error dumping a stack trace that contained the origin hostname. I
took the original request and replayed it directly at the origin. To my
surprise the response was the same as going through the auth server. Then I
changed the user id some integer that wasn't mine and got information back.
Then I quit playing with it and sent an email.

This leaves me in a weird spot because I was fuzzing them looking for details
when I was fully aware they did not have a bug bounty program. Why did I do
this? Because I was using the app myself, I'm a security guy, and had read
about a cool exploit with the uber app. It only took about 5 minutes of
setting up burp proxy for my phone with ssl and 5 more minutes of auditing to
find an input that dumped the stack trace.

------
8_hours_ago
I just wrote to my senators and representative in congress, and I urge
everyone else to do the same. It is unacceptable that our personal information
is so easily sold to 3rd parties by our cell phone carriers, with no way to
opt-out.

~~~
coastal-fiesta
Mind pasting the letter you wrote?

~~~
8_hours_ago
This is what I sent... feel free to mention any issues you see with it which
may help other people.

Hello XX,

I am concerned about the security of my cell phone location information.

Yesterday, a vulnerability was found that leaked the real-time location of 95%
of the cell phones in the US. That is unacceptable.

US cell phone carriers including AT&T, Sprint, T-Mobile and Verizon share
personal information, including phone numbers and real-time location of cell
phones, with companies such as LocationSmart, who then resells the information
to other companies for marketing and other purposes. Carriers to not provide a
way for users to opt-out of such sharing. This is completely legal under the
current Electronic Communications Privacy Act. LocationSmart claims that they
will not share the gathered information without user consent, but the
definition of consent is vague, and that doesn't protect the public from
security breaches. I understand that carriers need to have location data to
comply with emergency 911 regulations, but it is unacceptable that they are
able to share it with 3rd parties who may use it for dubious purposes, and may
have lax security standards.

We need to have laws that protect the privacy of cell phone users, and do not
allow carriers to sell personal information to 3rd parties. Or, and the very
least, customers should be able to opt-out of such sharing from their
carriers.

For more information on the vulnerability found yesterday, please see:
[https://krebsonsecurity.com/2018/05/tracking-firm-
locationsm...](https://krebsonsecurity.com/2018/05/tracking-firm-
locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-
carriers-in-real-time-via-its-web-site/)

Please contact me if you have any questions.

Thank you, XX

------
rolandog
> Also, by law wireless companies need to be able to ascertain at any time the
> approximate location of a customer’s phone in order to comply with emergency
> 911 regulations.

Would it be unfeasible to only track once a 911 call is placed?

~~~
jessaustin
Sure, but the meetings held to decide how these things work are well-populated
with people who find the concept of a "right to privacy" confusing.

~~~
bigiain
But they seem to be _super_ switched on about how much shareholder value they
can create by monetising the data.

------
kuon
I don't think the general public will care. I tried to warn people about
security/surveillance for a while but people don't seem to care. I even used
[http://www.insecam.org/](http://www.insecam.org/) to show people their
children might end on the Internet, they just say "I don't have a camera" in
my house. But they are not grasping my point, which is that technology is
invasive to a point no one imagined before. Soon the facial camera of your
fridge used to authenticate new food order you make through amazon will be on
insecam if are not careful. And of course, the most dangerous thing, is not
accessing a camera, microphone or location at time T, but it's the whole
history, years, even decades of history of your every move. Nobody is perfect,
don't tell me you'd never be at a place you shouldn't have been. Information
is power, those with access to that information will control the society as a
whole.

------
nickthegreek
Anyone know of the minimum and maximum accuracy of the cell phone
triangulation methods are? This article states that they were getting results
from within a few hundred yards to 1.5 miles

And the scariest thing me in the article (besides being able to bypass the
auth) is that they were able to send several requests and track movement in
near real time. Did they really not have a request limiter in place?

~~~
c22
For whatever it's worth, this service was unable to find any location for my
phone that only connects over 2g, but had no problem tracking my 4g phone with
startling accuracy.

~~~
joewee
There are limited towers / carriers who support 2g. Less data to triangulate I
would assume.

~~~
c22
This is true, but I suspect something else might be going on. LocationSmart
said it couldn't find the location of my phone at all, but even if I'm visible
to only one tower it should at least be able to narrow it down to the location
of that tower.

------
beezle
So..300 mio connected devices, 2 bytes for location, some compression, 2
samples a minute -> 1 GB per min or about 1.5 TB per day. Thats easy storage
for NSA, wonder how many years of data they have on everyone? Don't think for
a minute they don't have an exception for the permission requirements

~~~
bastawhiz
Two bytes for a location? If you're going to store latitude and longitude,
you'll want to do it with signed fixed-precision numbers. Four decimal places
if you don't care about accuracy too much plus up to 180 above and below zero.
That means you'll need 26 bits (25 bits to store the data plus one bit for
sign), and that covers one half of latitude and longitude. You'd need 52 bits
to store a full set of coordinates, and since we're not barbarians we can
round that up to a nice even 64 bits (I don't think there's anything relevant
you can store in 12 bits...maybe carrier ID?)

Then you need to identify what device it's for, that's another 32 bits if
you're being conservative. I'll ignore timestamp, since you could infer that
from the location in the data store (assuming you have nice even 30s
intervals), but it would otherwise be a bonus 64 bits.

That's 10TB, but also pretty useless because you've got a giant pile of u32s.
If you were going to do this for real, you'd probably store the user's
location with full precision for the first sample, then simply have diffs with
a precision that assumes, say, the device isn't going to move faster than the
speed of sound. The index is likely going to be pretty massive, and you'll
constantly be reindexing because you're getting new data all the time (with a
cardinality of 300M).

Even then, you're probably looking at something that's triple or quadruple
that size. Let's say 40TB. That's only 14.6PB/year, which is not unreasonable
storage for the government. But then you need to consider other things:

\- You're ingesting 600M data points per minute. If you're only getting the
minimum (96bits/user), that's over 7GB/s.

\- But of course, it's probably not in a binary format (in the article, it was
JSON and XML). Make that 50GB/s.

\- Now you're parsing XML and JSON. That's not free when you're parsing 600M
documents/minute. You'd likely have a pretty damn big server farm to ingest
all this data.

\- Your carriers need to be able to send that data to you, so they need to be
equipped to (collectively) deliver 50GB/s of encoded location data; not to
mention be able to dump the latest record for every customer in their location
database twice per minute.

I wouldn't bet money that the government cares enough about every last device
in the country to rig together such a big system only to keep track of where
my grandmother's Jitterbug is. It's nonsensical to think that they couldn't
just send an API request to AT&T or Verizon and be like "Hey guys, where's
John Doe's phone been in the last week?" That's almost certainly more
practical and cost effective in every way.

~~~
beezle
You are right, it would take a few more but my point was more that the amount
of data is entirely within the scope of NSA et al. In fact, it was somewhat
arbitrary to say two points a minute, reality is once every two minutes is
enough to have a very good idea where somebody is or has gone to.

Why would they want this data? Because they want to be able to not just track
in real time 'persons of interest' but also to recreate past movements to
establish associations.

As to the difficulty (if any) for the major telecoms to provide such a feed -
chump change to the NSA to assist in that matter, just like regular law
enforcement pays for wiretaps.

------
rnd463856
Does anyone know if opting out of CPNI sharing with your carrier prevents
location information from being shared with companies such as LocationSmart?

See: [https://www.verizonwireless.com/legal/notices/customer-
cpni/](https://www.verizonwireless.com/legal/notices/customer-cpni/)

~~~
gergles
No, your device location is not CPNI. Generally, only things that appear on a
detailed phone bill are CPNI.

------
odammit
I didn’t follow how it is that LocationSmart gets access to an unaffiliated
person’s phone location in the first place.

------
8_hours_ago
Are there any US carriers that have been confirmed to _not_ share location
data with 3rd parties such as LocationSmart? LocationSmart boasts on their
website that they can get the location of 95% of the cell phones in the US...
how can I be that 5%?

~~~
bitexploder
Turn your phone off. :)

Seriously. There is no other option. Only niche local providers won't share
with these types of companies.

~~~
8_hours_ago
> Only niche local providers won't share with these types of companies.

That is what I am looking for! Do you know where to find those providers?

~~~
bitexploder
US Cellular and Metro PCS maybe? Only two that spring to mind.

------
cavisne
Something I wonder reading this, hopefully some wireless experts can answer.
In theory does locationsmart even need to onboard all telcos for this? Most
smartphones have the hardware to talk to all telcos now, and in emergency
situations they can roam onto other networks. Do lte devices ping other
networks or do they only ping on the spectrum of their particular network?

I’ve heard stories of how telcos track down things like broken fridges etc
that are adding noise to their network (and buy the owners a new fridge) so
clearly they have the ability to track things that aren’t part of their
network.

------
JepZ
So we pay the carriers and they sell our locations to 3rd parties anyway?

I can't think of any business for which it should be reasonable to make
additional money by selling the users data. If a service is for free, I can
understand that somehow the bills have to be paid and that selling data is an
obvious option here. But if you paid for a service you normally don't expect
the service provider to sell your data anyway. That kind of business should be
illegal IMHO.

------
graeme
OP, the NYT is interested. Reporters email here.

[https://news.ycombinator.com/item?id=17089692](https://news.ycombinator.com/item?id=17089692)

~~~
nneonneo
Thanks for the pointer.

------
smsm42
After all the brouhaha with the Cambridge Analytics dataset, that only
revealed data that people voluntarily submitted to a public service - I wonder
if there's a congressional hearing about a service that allows to track
anybody owning a cellphone (which is pretty much anybody) anytime, anywhere,
with no recourse or opt-out? With heads of AT&T and other companies being
interrogated by Congressmen, at least? And if not, why not?

------
CBdd
T-Mobile and other carriers sell customers a service that uses this
information to track other phones ON THE SAME ACCOUNT. The actual service is
provided by a third party that, I assume, is privy to all customers tower
contacts and thus the location. By the way, the service is usually accurate
within 50 feet although I have found some bloopers where it was off by 500
feet.Each result even tells you how accurate it likely is.

------
amatecha
Slightly disconcerting (though unsurprising) to see insurance companies are
customers of LocationSmart:
[https://www.locationsmart.com/company/customers](https://www.locationsmart.com/company/customers)

I kinda had no clue 3rd-party services like this existed, and assumed realtime
cellphone location data was only available to law enforcement in emergency
situations... Cool..

------
fixermark
David Brin becomes more and more prescient as time goes on.

[https://books.google.com/books?id=wg4XBQAAQBAJ&pg=PA336&dq=0...](https://books.google.com/books?id=wg4XBQAAQBAJ&pg=PA336&dq=0738201448&hl=en&sa=X&ved=0ahUKEwjeuezM1Y3bAhUQy1kKHaz3B9AQ6AEIKjAA#v=onepage&q=0738201448&f=false)

~~~
dredmorbius
fBrin presumes it's possible to look up, and that disclosure is equally
significant to both the powerful and oppressed.

The historical record doesn't support this.

~~~
fixermark
I was referring specifically to the inevitability of observation technologies
leaving outside their controllers' grasp and becoming increasingly ubiquitous.

~~~
dredmorbius
Technology's existence needn't make its use inevitable.

~~~
fixermark
... but as Brin observes, these tools are powerful. And the groups that
exploit them will tend to become the powerful groups (because information is
power).

So given that these tools, even when abused, don't lead to the kind of wanton
destruction nuclear weapons do (that trigger our primal survival instincts),
the odds of everyone on the planet generally refraining from accessing
surveillance technologies when available are low, and those that do so will
tend to become more powerful (and therefore spread the cultural meme that
"hey, this stuff is okay in moderation").

------
Sephr
I found LocationSmart's pricing info:
[https://www.locationsmart.com/cms/resources/locationsmartpri...](https://www.locationsmart.com/cms/resources/locationsmartpricingdirect2016.pdf)

------
codedokode
By the way, I wonder, could a foreign state use these location services for
spying on government and military officials and other interesting people? For
example, create a fake marketing company and buy data for "targeted
advertising".

~~~
nneonneo
I don’t believe the buggy API was ever restricted just to US IPs, so anyone in
any country could have been tracking US phones since the API came out (in Jan
2017 or earlier).

------
voctor
Maybe this is not a security vulnerability, but a feature, intentionally put
here as a backdoor. This would not be the first time such behaviours are
observed.

------
HashThis
Do all carrier customers get hurt by this? If I don't use LocationSmart, does
it impact me? What products use this that expose me to this?

~~~
staplers

      What products use this that expose me to this?
    

Per the LocationSmart website: "95% of all wireless devices" so basically the
entire population's location can be tracked in real-time by anyone willing to
pay for this service. Insurance companies, your boss, etc.

~~~
dredmorbius
This also means that even if you cannot be tracked directly, you may be
tracked by others you travel or associate with.

A Catalan seperatist was arrested in Europe this way.

------
rubatuga
One of the few news articles that make feel a bit nauseous. What’s stopping
organizations from doing warrantless tracking?

~~~
bitexploder
They would have to exploit this consent bypass flaw. So, if they were willing
to exploit this but, nothing.

------
aftbit
How do I opt out of T-mobile sharing my location data with 3rd parties without
a court order?

------
pietroglyph
The scariest thing is that you can still buy this data legally. No
vulnerability required.

~~~
sixothree
What is the process like?

~~~
iampims
yeah, I'm also curious what the process is to buy this data.

~~~
pietroglyph
Here's an example (It is through geofencing, and I read my parent comment as a
bit misleading. Sorry about that.):
[https://www.locationsmart.com/solutions/proximity](https://www.locationsmart.com/solutions/proximity)

------
crtasm
I'm loving the Do Not Track header in your python script. Great work!

------
seanieb
Are data-only SIM's trackable in the same way as normal SIM's?

~~~
wadkar
Yes. Data only sims are just like your regular simcards except you pay to NOT
make any calls from it. The rest everything works the same from a technical
point of view.

------
ssss11
Not so smart then.

------
uptown
Seems improbable, but I really wish Apple would get into the carrier business.

~~~
duskwuff
To avoid this sort of information leak, they'd have to build out their own
cell infrastructure. This would be prohibitively expensive, even for a company
with as much money as Apple.

Operating as a MVNO wouldn't help; the parent carrier can still collect data
from their customers.

~~~
jonas21
I dunno... Apple could, for example, buy T-Mobile and their network for ~$50B
[1] and still have a $230B pile of cash left over [2].

[1]
[https://www.google.com/search?q=TMUS](https://www.google.com/search?q=TMUS)

[2] [https://www.cnbc.com/2018/02/01/apple-
earnings-q1-2018-how-m...](https://www.cnbc.com/2018/02/01/apple-
earnings-q1-2018-how-much-money-does-apple-have.html)

------
coytar
Having not fully woken up this morning, I read & assumed the title as
"LocationSmart Leaked Location Data for All Major U.S. [Aircraft] Carriers in
Real Time" and freaked out a bit :)

Anyone else?

~~~
quickthrower2
I thought the same. Although this would be impossible right?

