A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors.
The U.S. Supreme Court today ruled that the government needs to obtain a court-ordered warrant to gather location data on mobile device users. The decision is a major development for privacy rights, but experts say it may have limited bearing on the selling of real-time customer location data by the wireless carriers to third-party companies.
At issue is Carpenter v. United States, which challenged a legal theory the Supreme Court outlined more than 40 years ago known as the “third-party doctrine.” The doctrine holds that people who voluntarily give information to third parties — such as banks, phone companies, email providers or Internet service providers (ISPs) — have “no reasonable expectation of privacy.”
That framework in recent years has been interpreted to allow police and federal investigators to obtain information — such as mobile location data — from third parties without a warrant. But in a 5-4 ruling issued today that flies in the face of the third-party doctrine, the Supreme Court cited “seismic shifts in digital technology” allowing wireless carriers to collect “deeply revealing” information about mobile users that should be protected by the 4th Amendment to the U.S. Constitution, which is intended to shield Americans against unreasonable searches and seizures by the government.
Amy Howe, a reporter for SCOTUSblog.com, writes that the decision means police will generally need to get a warrant to obtain cell-site location information, a record of the cell towers (or other sites) with which a cellphone connected.
The ruling is no doubt a big win for privacy advocates, but many readers have been asking whether this case has any bearing on the sharing or selling of real-time customer location data by the mobile providers to third party companies. Last month, The New York times revealed that a company called Securus Technologies had been selling this highly sensitive real-time location information to local police forces across the United States, thanks to agreements the company had in place with the major mobile providers.
It soon emerged that Securus was getting its location data second-hand through a company called 3Cinteractive, which in turn was reselling data from California-based “location aggregator” LocationSmart. Roughly two weeks after The Times’ scoop, KrebsOnSecurity broke the news that anyone could look up the real time location data for virtually any phone number assigned by the major carriers, using a buggy try-before-you-buy demo page that LocationSmart had made available online for years to showcase its technology.
Since those scandals broke, LocationSmart disabled its promiscuous demo page. More importantly, AT&T, Sprint, T-Mobile and Verizon all have said they are now in the process of terminating agreements with third-parties to share this real-time location data.
Still, there is no law preventing the mobile providers from hashing out new deals to sell this data going forward, and many readers here have expressed concerns that the carriers can and eventually will do exactly that.
So the question is: Does today’s Supreme Court ruling have any bearing whatsoever on mobile providers sharing location data with private companies?
According to SCOTUSblog’s Howe, the answer is probably “no.”
“[Justice] Roberts emphasized that today’s ruling ‘is a narrow one’ that applies only to cell-site location records,” Howe writes. “He took pains to point out that the ruling did not ‘express a view on matters not before us’ – such as obtaining cell-site location records in real time, or getting information about all of the phones that connected to a particular tower at a particular time. He acknowledged that law-enforcement officials might still be able to obtain cell-site location records without a warrant in emergencies, to deal with ‘bomb threats, active shootings, and child abductions.’”
However, today’s decision by the high court may have implications for companies like Securus which have marketed the ability to provide real-time mobile location data to law enforcement officials, according to Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, a nonprofit digital rights advocacy group.
“The court clearly recognizes the ‘deeply revealing nature’ of location data and recognizes we have a privacy interest in this kind of information, even when it’s collected by a third party (the phone companies),” Lynch wrote in an email to KrebsOnSecurity. “I think Carpenter would have implications for the Securus context where the phone companies were sharing location data with non-government third parties that were then, themselves, making that data available to the government.”
Lynch said that in those circumstances, there is a strong argument the government would need to get a warrant to access the data (even if the information didn’t come directly from the phone company).
“However, Carpenter’s impact in other contexts — specifically in contexts where the government is not involved — is much less clear,” she added. “Currently, there aren’t any federal laws that would prevent phone companies from sharing data with non-government third parties, and the Fourth Amendment would not apply in that context.”
And there’s the rub: There is nothing in the current law that prevents mobile companies from sharing real-time location data with other commercial entities. For that reality to change, Congress would need to act. For more on the prospects of that happening and how we wound up here, check out my May 26 story, Why is Your Location Data No Longer Private?
The full Supreme Court opinion in Carpenter v. United States is available here (PDF).Source: KREBS ON SECURITY
In the wake of a scandal involving third-party companies leaking or selling precise, real-time location data on virtually all Americans who own a mobile phone, AT&T, Sprint and Verizon now say they are terminating location data sharing agreements with third parties.
At issue are companies known in the wireless industry as “location aggregators,” entities that manage requests for real-time customer location data for a variety of purposes, such as roadside assistance and emergency response. These aggregators are supposed to obtain customer consent before divulging such information, but several recent incidents show that this third-party trust model is fundamentally broken.
On May 10, 2018, The New York Times broke the story that a little-known data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone across all of the major U.S. mobile networks.
Then it emerged that Securus had been hacked, its database of hundreds of law enforcement officer usernames and passwords plundered. We also learned that Securus’ data was ultimately obtained from a company called 3Cinteractive, which in turn obtained its data through a California-based location tracking firm called LocationSmart.
On May 17, KrebsOnSecurity broke the news of research by Carnegie Mellon University PhD student Robert Xiao, who discovered that a LocationSmart try-before-you-buy opt-in demo of the company’s technology was wide open — allowing real-time lookups from anyone on anyone’s mobile device — without any sort of authentication, consent or authorization.
LocationSmart disabled its demo page shortly after that story. By that time, Sen. Ron Wyden (D-Ore.) had already sent letters to AT&T, Sprint, T-Mobile and Verizon, asking them to detail any agreements to share real-time customer location data with third-party data aggregation firms.
AT&T, T-Mobile and Verizon all said they had terminated data-sharing agreements with Securus. In a written response (PDF) to Sen. Wyden, Sprint declined to share any information about third-parties with which it may share customer location data, and it was the only one of the four carriers that didn’t say it was terminating any data-sharing agreements.
T-Mobile and Verizon each said they both share real-time customer data with two companies — LocationSmart and another firm called Zumigo, noting that these companies in turn provide services to a total of approximately 75 other customers.
Verizon emphasized that Zumigo — unlike LocationSmart — has never offered any kind of mobile location information demo service via its site. Nevertheless, Verizon said it had decided to terminate its current location aggregation arrangements with both LocationSmart and Zumigo.
“Verizon has notified these location aggregators that it intends to terminate their ability to access and use our customers’ location data as soon as possible,” wrote Karen Zacharia, Verizon’s chief privacy officer. “We recognize that location information can provide many pro-consumer benefits. But our review of our location aggregator program has led to a number of internal questions about how best to protect our customers’ data. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.”
In its response (PDF), AT&T made no mention of any other company besides Securus. AT&T indicated it had no intention to stop sharing real-time location data with third-parties, stating that “without an aggregator, there would be no practical and efficient method to facilitate requests across different carriers.”
Sen. Wyden issued a statement today calling on all wireless companies to follow Verizon’s lead.
“Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”
Update, 5:20 p.m. ET: Shortly after Verizon’s letter became public, AT&T and Sprint have now said they, too, will start terminating agreements to share customer location data with third parties.
“Based on our current internal review, Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data,” the company said in an emailed statement. “This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services. Sprint previously suspended all data sharing with LocationSmart on May 25, 2018. We are taking this further step to ensure that any instances of unauthorized location data sharing for purposes not approved by Sprint can be identified and prevented if location data is shared inappropriately by a participating company.”
AT&T today also issued a statement: “Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.”
KrebsOnSecurity asked T-Mobile if the company planned to follow suit, and was referred to a tweet today from T-Mobile CEO John Legere, who wrote: “I’ve personally evaluated this issue & have pledged that T-Mobile will not sell customer location data to shady middlemen.” In a follow-up statement shared by T-Mobile, the company said, “We ended all transmission of customer data to Securus and we are terminating our location aggregator agreements.
Wyden’s letter asked the carriers to detail any arrangements they may have to validate that location aggregators are in fact gaining customer consent before divulging the information. Both Sprint and T-Mobile said location aggregators were contractually obligated to obtain customer consent before sharing the data, but they provided few details about any programs in place to review claims and evidence that an aggregator has obtained consent.
AT&T and Verizon each said they have processes for periodically auditing consent practices by the location aggregators, but that Securus’ unauthorized use of the data somehow flew under the radar.
AT&T noted that it began its relationship with LocationSmart in October 2012 (back when it was known by another name, “Locaid”). Under that agreement, LocationSmart’s customer 3Cinteractive would share location information with prison officials through prison telecommunications provider Securus, which operates a prison inmate calling service.
But AT&T said after Locaid was granted that access, Securus began abusing it to sell an unauthorized “on-demand service” that allowed police departments to learn the real-time location data of any customer of the four major providers.
“We now understand that, despite AT&T’s requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers’ location information for its on-demand service,” wrote Timothy P. McKone, executive vice president of federal relations at AT&T. “Instead, Securus evidently relied upon law enforcement’s representation that it had appropriate legal authority to obtain customer location data, such as a warrant, court order, or other authorizing document as a proxy for customer consent.”
McKone’s letter downplays the severity of the Securus incident, saying that the on-demand location requests “comprised a tiny fraction — less than two tenths of one percent — of the total requests Securus submitted for the approved inmate calling service. AT&T has no reason to believe that there are other instances of unauthorized access to AT&T customer location data.”
Blake Reid, an associate clinical professor at the University of Colorado School of Law, said the entire mobile location-sharing debacle shows the futility of transitive trust.
“The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow.”
Curious how we got here and what Congress or federal regulators might do about the current situation? Check out last month’s story, Why Is Your Location Data No Longer Private.
Update, 5:20 p.m. ET: Updated headline and story to reflect statements from AT&T and Sprint that they are winding down customer location data-sharing agreements with third party companies.
Update, June 20, 2:23 p.m. ET: Added clarification from T-Mobile.Source: KREBS ON SECURITY
A newly added “Endpoint Verification” feature in G Suite provides administrators with increased visibility into the computers that have access to corporate data.