A website flaw at a California company that gathers real-time data on cellular wireless devices could have allowed anyone to pinpoint the location of any AT&T, Verizon, Sprint or T-Mobile cellphone in the United States to within hundreds of yards, a security researcher said.
The company involved, LocationSmart of Carlsbad, operates in a little-known business sector that provides data to companies for such uses as tracking employees and texting e-coupons to customers near relevant stores.
Among the customers LocationSmart identifies on its website are the American Automobile Association, FedEx and the insurance carrier Allstate. LocationSmart did not immediately respond to emails and telephone messages seeking comment on the flaw and its business practices.
The LocationSmart flaw was first reported by independent journalist Brian Krebs. It’s the latest case to underscore how easily wireless carriers can share or sell consumers’ geolocation information without their consent.
The New York Times reported earlier this month that a firm called Securus Technologies provided location data on mobile customers to a former Missouri sheriff accused of using the data to track people without a court order. On Wednesday, Motherboard reported that Securus’ servers had been breached by a hacker who stole user data that mostly belonged to law enforcement officials.
Securus may have obtained its location data indirectly from LocationSmart. Securus officials told the office of Sen. Ron Wyden, an Oregon Democrat, that they obtained the data from a company called 3Cinterative, said Wyden spokesman Keith Chu. LocationSmart lists 3Cinteractive among its customers on its website.