ShareThis Page
This CMU researcher hacked cellphone location data in just 15 minutes |

This CMU researcher hacked cellphone location data in just 15 minutes

Aaron Aupperlee
| Friday, May 18, 2018 1:21 p.m
Robert Xiao
Cranberry Township
(File photo)
Getty Images
Kirsten Luna from Holland, Mich., uses her smartphone outside the U.S. Supreme Court after a major ruling on cell phone privacy by the court June 25, 2014 in Washington, D.C. The Supreme Court issued a ruling requiring law enforcement officials to have a search warrant to search the cellphones of suspects they arrest.

A researcher at Carnegie Mellon University and member of its elite hacking team exposed a bug in a cellphone tracking service that allowed him — and potentially countless others — to track Americans in real time using their cell signals.

Robert Xiao said he “stumbled” on the hack after visiting the website of LocationSmart this week to check the company’s security measures.

The hack took 15 minutes, Xiao said. After finding the bug, he was able to track anyone.

“If I knew your 10-digit phone number, I could type it in, and I could track you in real time,” Xiao told the Tribune-Review on Friday. “I can watch you moving around. I can watch you driving around. I can watch you going to work and leaving from work.”

Xiao said the implications of what he found hit him hard. It was frightening. Anyone could track anyone. An adversary of the United States, a state actor like Russia or North Korea, could track the movements of any American with a cellphone or those of top military advisers or troops. His heart was racing when he discovered it.

“It felt sort of surreal,” Xiao said, describing a “humungously sinking feeling.”

LocationSmart has fixed the bug in the online demo that Xiao used and took the demo offline, Brenda Schaffer, vice president of product and marketing, wrote in an email to the Tribune-Review. Schaffer said the company has confirmed that no one else exploited the bug and it did not result in any customer information being obtained without consent.

“LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process,” Schaffer wrote.

LocationSmart is based in Carlsbad, Calif. The company uses cellphone location data from cellphone service providers to locate “15 billion devices anywhere in the world, for any location need,” according to its website. The company claims it helps businesses track workers and assets.

Consent easily bypassed

The public demo Xiao exploited was meant to show off LocationSmart’s tracking service. A person using the demo could request to track a phone number. That phone number would then be notified that someone wished to track it, and the owner of the phone number would give consent to be tracked for the purpose of the demo. Xiao dug into the demo’s code a little bit, found a way to bypass the consent part and had what he called “the ultimate tracking tool.”

Xiao became interested in LocationSmart when the company landed in the news for its connection to Securus, a company that monitors calls to U.S. prison inmates. Reporting by The New York Times uncovered that a former Missouri sheriff used Securus to track people’s cellphones , including other officers.

When the Federal Communications Commission demanded to know how Securus obtained cellphone location data, the company revealed that it got it through LocationSmart, according to a story on ZDNet . LocationSmart claims to have “direct connections” to all major U.S. cellphone providers, including AT&T, Verizon, T-Mobile and Sprint.

The ZDNet story prompted Xiao to take a look at LocationSmart.

“I wonder if they are securing customers’ data?” Xiao said he thought after reading the story. “Because this is pretty frightening stuff already.

“Within 15 minutes, I had my answer, and the answer was no.”

Hacking for good, not evil

Xiao is a Ph.D. candidate at CMU’s Human-Computer Interaction Institute, where he studies how humans and computers interact. He recently worked on a project that used a smartwatch to turn your arm into a trackpad.

That’s his day job, he said. For fun, Xiao dabbles in security research, essentially a euphemism for white-hat hacking. Xiao didn’t hack LocationSmart with any malicious intent. He did so to see whether his personal data, and everyone else’s, was secured.

It wasn’t.

Xiao is a member of CMU’s Plaid Parliament of Pwning hacking team. The team has won more DEFCON Capture the Flag competitions than any other team . They are some of the best hackers in the world working for good, not evil.

Xiao said a complex hack sometimes takes eight to 12 hours to put together and execute. It took him 15 minutes to expose the vulnerability at LocationSmart. He said the hacking team runs competitions for high school students.

“It’s not completely unlike the challenges we ask them to do,” Xiao said. “We’ve had some very bright high school students solve problems harder than this.”

Xiao is leaving CMU this year and will start as an assistant professor of computer science at the University of British Columbia in January. The LocationSmart bug is the biggest he’s ever discovered. He hopes it’s the biggest he ever discovers.

“But there are probably even worse bugs out there,” Xiao said.

Spotlight on data security

Xiao discovered the bug Wednesday. Once Xiao figured out what he had found, he tested it on a few friends and colleagues — with their consent — to make sure he really had found a way to track people’s cellphones. He said he asked a friend in Hawaii for permission and watched that friend move about the island.

Xiao then notified US-CERT, the United States Computer Emergency Readiness Team. US-CERT, a division of the Department of Homeland Security, worked with Xiao to properly and safely disclose the vulnerability. Xiao said caution here is important. People need to know that their data was compromised, but people don’t need to know how to compromise it until the vulnerability is fixed.

Xiao never spoke to LocationSmart directly. He hasn’t heard from the company since.

When the demo was taken down and Xiao felt it safe to make his discovery public, he contacted Brian Krebs, a security researcher and reporter. Krebs broke the story on his website Thursday.

Xiao said he decided to make his breach at LocationSmart public, in part, to start a larger discussion about the security surrounding data such as cellphone locations.

“I just got access to everyone’s location,” Xiao said. “I shouldn’t be able to do that in a sane world.

“No company should be able to be that cavalier with this type of information.”

Aaron Aupperlee is a Tribune-Review staff writer. Reach him at, 412-336-8448 or via Twitter @tinynotebook.

Aaron Aupperlee is a Tribune-Review staff reporter. You can contact Aaron at 412-320-7986, or via Twitter .

Categories: Technology
TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.