No Data Breach And No User Data Leaked
A forensic investigation conducted by a national cybersecurity research firm found no evidence of a data breach nor that any end user data was accessed without their consent as a result of the hack.
A forensic investigation conducted by a national cybersecurity research firm found no evidence of a data breach nor that any end user data was accessed without their consent as a result of the hack.
On the evening of May 16, 2018, a security blogger contacted LocationSmart and accused it of leaking user location data, but refused to provide specifics. Despite the lack of detail, LocationSmart quickly reviewed its system activity and discovered that its online demo had been used to look up 'white pages" type data for the blogger's office phone number through normal use of the demo. That lookup required acceptance of its terms of use.
As readers may know, data about landline and other phone numbers is openly available on many "white pages" websites based on data in the public domain and other available sources. The LocationSmart demo could be used to look up that same type of public data, as was apparently done in the blogger's case.
After being contacted by the blogger, LocationSmart also immediately began investigating and monitoring its systems for any unusual activity. Within a few hours, LocationSmart discovered evidence of activity that was not consistent with the demo's normal use. Out of an abundance of caution, LocationSmart immediately shut down the demo and began working to find and eliminate any vulnerability that may have been exploited by potential hacking.
Almost immediately after the demo was shut down on the morning of May 17, 2018, a PhD cybersecurity researcher from CMU published a blog post describing details of their hack of the LocationSmart demo. What they described was consistent with the activity that LocationSmart had detected and shut down. Around the same time as the researcher's posting, the blogger that had contacted LocationSmart the previous evening also posted a blog containing specifics of their allegations and referencing the CMU researcher's exploits. Based on their individual blog posts, they appear to have been collaborating but neither informed LocationSmart of their specific activities or findings prior to publishing their blog posts.
During LocationSmart's continuing investigation, it discovered that a user with a CMU email address had recently used the demo as intended. They too had accepted the terms of use required to allow the demo to operate and, in their case, provided consent via two-way SMS messaging allowing them to obtain and view the location of their mobile device via the demo.
The exploit that circumvented the demo’s consent functionality described in the CMU researcher’s blog post took place shortly after the normal use of the demo by the above user with the CMU email address. While the researcher’s exploit circumvented the demo’s consent functionality, their blog post confirmed that the location of a handful of cooperating collaborators had been accessed only after obtaining their consent. When contacted by the blogger, LocationSmart was not informed of any of those details nor of any relationship between the blogger and researcher.
Under normal use, each demo user was required to accept terms of use via a mandatory checkbox that prevented its operation without prior acceptance. A link to the terms was prominently located beside the checkbox for the user to access and review. The demo also required a second factor authentication via two-way SMS messaging to confirm consent for any mobile device to be located within the demo. Location was not allowed by the demo without that consent having been provided. Furthermore, the terms of use prohibited unintended use of the demo, reverse engineering of its code, copying of its content, or publishing of any information obtained via its use. It also provided instructions and contact details for users to inform LocationSmart of any questions about the terms of use. All of those prohibitions and requests appear to have been ignored by the blogger and researcher as related to the hack.
Because LocationSmart takes privacy seriously, it acted immediately upon receiving the blogger's vague warnings and quickly found and eliminated the vulnerability exploited by the hacker. LocationSmart is grateful that it was able to do so within a few short hours after the exploit was discovered. Additionally, an independent forensic investigation was conducted by a nationally recognized cybersecurity research firm. Its findings concluded that no data breach had occurred and no end user data had been accessed without consent.
LocationSmart's Post-Investigation Statement Regarding the Hack
"Within 24 hours of learning that a PhD cybersecurity researcher had exploited a vulnerability in an online demo (aka "LocationSmart hack"), LocationSmart eliminated the vulnerability and shut down the demo. As reported, the researcher accessed location for devices belonging to several collaborators who had all agreed to participate in the exploit. A forensic investigation conducted by a national cybersecurity research firm found no evidence of a data breach nor that any end user data was accessed without their consent. Additionally, LocationSmart discontinued the location services targeted by the demo exploit in 2019. LocationSmart has always taken end user privacy seriously and was grateful that it was able to quickly identify and eliminate the vulnerability and further strengthen its data protections as a result."
Original Statement Re: LocationSmart Hack - May 18, 2018
"LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."
About LocationSmart:
LocationSmart is the worldwide leader in location-based services for online gaming compliance and IoT asset monitoring. We offer a robust platform that delivers critical location data, consent management, compliance services, and device profiling for our business customers. Our cloud-based location platform provides web services API access to core location technologies that span indoor and outdoor use for any type of connected device regardless of platform or network. LocationSmart serves clients ranging from start-ups to Fortune 500 companies. With a global reach of more than 200 countries, LocationSmart delivers the broadest reach and largest global footprint among geolocation services. For more information, please contact us.