Companies built around harvesting and selling third-party data have been subject to growing scrutiny since the Facebook/Cambridge Analytica story broke earlier this year. This trend of increased monitoring is likely to continue as more and more people choose to track what and how much of their personal information is collected, and what companies are doing with it. So, it should come as no surprise that a handful of companies that track user locations and online activities had major security issues surface over the last 2 weeks.
The more complex of the stories revolves around LocationSmart, a company that “acts as an aggregator of real-time data about the precise location of mobile phone devices.” Brian Krebs reported on May 17, 2018 that due to a serious flaw with it’s online software demo, the LocationSmart website was leaking cell phone location data without a required password or any other type of authentication. Essentially, this vulnerability allowed anyone to track the location of any phone on the AT&T, T-Mobile, Verizon, or Sprint networks to within a few hundred yards. The demo has since been removed from the site.
The LocationSmart problem came to light on the heels of three stories published by The New York Times, ZDNet, and Motherboard, detailing the issues with Securus Technologies. Securus provides services to prison systems that allow prison staff to manage inmate phone calls. The trouble started with the Times reporting on May 10, that Securus was selling/providing the location data “on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Missouri.” ZDNet followed that report 5 days later noting that Securus got their third-party location data through LocationSmart.
The next day, May 16, 2018, Motherboard reported that the Securus servers got hacked, and approximately “2,800 usernames, e-mail addresses, phone numbers, and hashed passwords” were stolen, most of which belonged to authorized law enforcement users of the program. If a threat actor were to find a username/password combination that hadn’t been changed, they could then (presumably) use the program to track the location of any cell phone they wished, with high accuracy.
Even Senator Ron Wyden (D-Or) got involved, noting via Twitter that this type of data breach could present real world consequences, allowing criminals to know when you’re out of your house, or predators to track the location of a child.
Which brings us to the next data breach. On May 20, 2018, ZDNet reported that an app used by parents to track their children’s location and activity (texts, web browsing, phone calls) via their cell phones had stored unsecured personally identifiable information on a public facing server. TeenSafe, available on both Android and iOS had placed a database on an unprotected Amazon Web Services server, allowing anyone access to the data.
In all, the e-mail addresses and plaintext passwords for the Apple IDs of approximately 10,000 children (though some may be duplicates) were publicly visible. To make matters worse, TeenSafe requires that two-factor authentication be disabled for the app to function properly, making it harder to prevent unauthorized access to an account. ZDNet was able to verify the accuracy of the data on the server with some of the parents using TeenSafe by contacting them through the leaked e-mail addresses.
The server has now been taken offline.
With data breach laws on the books in all 50 states, and GDPR taking effect at the end of this week, these types of privacy and security problems are going to start costing serious money, not to mention reputation.