Where Does Cell Phone Location Data Go?

Have you ever wondered what happens to the location information your smartphone is collecting about you?  Who has access to that information, and for what purpose?  As it turns out, as told in a recent report by Brian Krebs, this information is available to pretty much anybody.

A related article in Sophos’ Naked Security blog pointed to a major location data breach by location aggregator LocationSmart, a company that purchases cell phone location information from all the major and many smaller cell phone carries.  The list includes Verizon, ATT, T-Mobile, Sprint, US Cellular, Virgin Mobile, Boost, and MetroPCS, and Canadian carriers Bell, Rogers, and Telus.

Your smartphone is a remarkable device, and has successfully folded several stand-alone devices into a single convenient hand-held computer.  The functions include a telephone service of course, music player, book reader, camera, portable data storage unit, laptop or tablet, and GPS.  GPS (Global Positioning System) is what provides location information to useful mapping apps such as Google Maps.  But most cell phone apps request permission for location information upon installation.  Why would a flashlight app need to know your location?  Ever wonder how Google knows about traffic tie-ups that they report on Google Maps?  It is the result of  aggregated, real-time location, direction, and velocity information of thousands of phones trapped in rush-hour traffic flows.  Or how Walmart knows you just pulled into their parking lot?  Is it a shopping app?  What are app developers doing with that information?  What kind of data do GPS-connected apps gather?  More importantly, just who can access this information?

Location information that is available from smartphone records can include:

  • latitude and longitude
  • direction of travel (heading)
  • velocity (speed)
  • altitude
  • cell tower connection information
  • Wi-Fi access point connection information
  • IP address information

As to who has access to location information, it is pretty much available to anyone willing to open an account with a location aggregation firm.  But due to recent breaches at LocationSmart, and Securus, location information is freely available to anyone with a modicum of technical background.  From Sophos:

“Then there was the flaw in LocationSmart’s website. Krebs reports that Xiao, the Carnegie Mellon University researcher, found that LocationSmart’s demo page required users to consent to having their phone located by the service, but the application programming interface (API) used to display responses to visitors’ queries didn’t prevent or authenticate interaction with the API itself.

Then too, on Wednesday there was another shocker: Motherboard brought us news of a hacker who broke into Securus’s servers to steal 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. The hacker reportedly gave Motherboard some of the stolen data, including usernames and poorly secured passwords – secured with the notoriously weak MD5 algorithm – for thousands of Securus’s law enforcement customers.”

Another revelation is that this information is being purchased by law enforcement agencies, who are using a loophole in the law to get around the need for warrants.  Under US law, law enforcement officers are supposed to get a warrant in order to request cell  phone data, including location data, from a cell phone carrier.  But they are not prohibited from purchasing this data from information aggregators and resellers such as LocationSmart and Securus, which is exactly what an enterprising sheriff’s deputy in Missouri was doing.  From Krebs on Security”

“On May 10, The New York Times broke the news that a different cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Mo.”

This is an area of data privacy (or the lack thereof) this will require legislation to regulate who has access to this information.  This is on par with the Equifax breach, in the way that this information is stored with poor or no encryption, and access is provided to anyone with a credit card or the skills to hack the location information directly from the servers.  It is another intrusion into our personal privacy that we probably gave away willingly when we installed that app.  Again, my advice is to think before allowing permission for location information, and review the permissions on apps installed in your phone.  Uninstall any phone apps you are not using, including some of the ones that came preinstalled on the phone.

More information

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.