Securus Technologies is a Texas-based company, specializing in providing and monitoring calls to prison inmates. Securus came into the spotlight earlier this month, when a former Missouri sheriff was found using the company’s service to repeatedly to track people without a warrant. The New York Times reports that between 2014 and 2017, former sheriff Cory Hutcheson used the service at least 11 times, allegedly tracking a judge and members of the State Highway Patrol.
Securus obtains tracking information through a company called LocationSmart, which in turn has agreements with most U.S. carriers. Earlier this month, Senator Ron Wyden of Oregon wrote a letter to various carriers asking them independently verify that these requests are made lawfully. “I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government.”
He wrote an additional letter to the FCC, calling on the agency to “promptly investigate Securus, the wireless carriers’ failure to maintain exclusive control over law enforcement access to their customers’ location data, and also conduct a broad investigation into what demonstration of customer consent, if any, each wireless carrier requires from other companies before the carries provide them with customer location information and other data.”
Screenshot of Securus’ website (source: New York Times)
Only days after the letter was sent, a hacker broke into the company’s servers. He provided some of the data to Motherboard, including a spreadsheet marked “police” with over 2,800 usernames, email addresses, hashed passwords, phone numbers, and security questions of Securus users.
The passwords were encrypted using MD5, which has repeatedly been proven to be insecure. That isn’t the only careless mistake the company made; an online Securus user manual shows screenshots for one of its products, but instead of using fake information, the images include the real name, address, and phone number of a specific woman.
As previously mentioned, Securus obtains tracking information through another company called LocationSmart. On its website, LocationSmart boasts access to 95% of all cross-carrier traffic, 100% of all device types, and a total reach of 15 billion devices. The company partners with all major U.S. carriers, as well as US Cellular, Virgin, Boost, and MetroPCS to obtain data. LocationSmart even has agreements with some Canadian carriers, like Bell, Rogers, and Telus.
Screenshot of LocationSmart’s home page
As a result of being associated with Securus, and providing tracking data to the company without proof of consent (or a court order), LocationSmart has fallen under scrutiny as well. LocationSmart’s policy says it requires explicit consent from the user before their location data can be used, but it also allows some customers to obtain “implied” consent on a case-by-case basis. One example is obtaining the location of a stranded motorist when they call roadside assistance.
ZDNet reached out to all four major U.S. carriers for comment. Sprint said its partnership with Securus is limited to, “to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities,” and “does not include data sharing.” A Verizon spokesperson said, “We’re still trying to verify their activities, but if this company is, in fact, doing this with our customers’ data, we will take steps to stop it.” AT&T replied with, “We are aware of the letter and will provide a response.” T-Mobile did not respond at all.
Screenshot of Serecus’ “try-before-you-buy” demo page. (source: ZDNet)
As the late Billy Mays would say, “But wait, there’s more!” CMU security researcher Robert Xiao discovered that LocationSmart didn’t prevent unauthorized API requests, theoretically allowing anyone to access the company’s data anonymously. He disclosed the vulnerability to LocationSmart on May 16, and it was fixed the next day. The company provided this statement to TechCrunch:
LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission.
On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.
In summary, not only are there companies selling your location data to unknown third parties, but said companies are also not taking proper steps to ensure the data isn’t being misused or easily stolen. Hopefully, the FTC cracks down on LocationSmart and similar companies for these actions, but at the moment its priority is cracking down on net neutrality. Good times.