Checklist 92: Is There a Plumber in the Building?

In many of our recent episodes, we’ve spent plenty of time talking about data breaches, a subject that often dominates security conversations these days. For good, reason, too, as everyone from major credit bureaus such as Equifax to retail store chains have lost or mishandled user information in recent years. Data breaches aren’t the only ways your personal information ends up in the hands of people who might not be authorized to handle it, though — leaks can and do happen, too, and organizations could hand your data off to someone they shouldn’t.

This week on The Checklist, we’re wondering if there are any digital plumbers around — because it looks like everyone has some serious leaks to fix! On our list for this week:

• Securus: Not So Secure After all
• US Cell Carriers Sell Real-Time Location Data
• LocationSmart Leaked Location Data for All Major US Carriers
• Parental Controls Gone Wrong: Apps Expose Passwords
• Comcast Drops the Ball: Xfinity Site Leaks User Info

For the first half of today’s show, we’re focusing on what your cell phone could reveal about you, intentionally or unintentionally, and how those responsible for your data might be falling short of the best practices.

Securus: Not So Secure After all

Concerns about what your phone’s GPS data can reveal about you and your activities have existed since phones first began to offer location services. That’s why it’s often so important to take care of which apps you grant permission to access your location. As a matter of personal privacy, it just makes good sense to safeguard this information — but did you know that, as with many other items of personal information, many people view your GPS data as a valuable commodity to buy and sell? It’s an unfortunate and creepy truth: there are numerous companies out there right now that buy location data directly from cell carriers just to turn around and resell that data immediately.

One of those companies, Securus, takes this information and packages it for sale to law enforcement. This data would typically go to a marketing company (which is uncomfortable in its own right) but Securus, which already provides monitoring for calls that prisoners make, chose to provide law enforcement with the ability to “track mobile devices even with GPS turned off.” How is that possible? Securus customers receive the geo-location information pinged to cell towers when you place and end phone calls. That would allow a police officer to know the rough placement of your phone when you last received a phone call.

The news that Securus was allowing the police to locate phones with pinpoint accuracy was first reported by the New York Times on May 10. In that story, they described how a sheriff in Missouri used and abused the Securus service to check up on the locations of other police officers and even a judge. The potential for abuse with this kind of information is clearly huge, and Securus’s lax policies — they do not check on the validity or authenticity of the warrants provided to them — spurred one senator to demand an investigation by the FCC.

It wasn’t even a full week after this news came out that something worse about Securus emerged: despite their name, the company isn’t very secure at all. On May 16th, Motherboard posted an article claiming that a hacker had contacted them with proof they had breached Securus, providing the publication with a list of usernames and poorly-secured passwords created by the company’s law enforcement customers. These internal documents contained a wealth of information, including a spreadsheet with nearly three thousand usernames, along with email addresses, phone numbers, security questions, and even the hashed passwords. This information dates to 2011 and covers many of Securus’s customers.

Although the passwords weren’t stored in plain text, they might as well have been: the hashed passwords were created using the MD5 algorithm, which has been completely broken for years. Decrypting MD5-hashed passwords is trivial now a days, which is why it hasn’t been used or recommended for proper security for quite some time. Of course, as it turns out, Securus is apparently full of holes, and not just the one exploited by the hacker. A user manual created by Securus for their service is openly available online, and they contain plenty of screenshots to demonstrate how it works. The problem? The screenshots don’t contain fake information as you’d expect from a manual — instead, they use real personally identifiable information. All in all, this is the type of situation that leaves one shaking your head in disbelief — but this is only the tip of the iceberg.

US Cell Carriers Sell Real-Time Location Data

You might be wondering: how is any of this legal? How is it okay for government agencies such as police departments to get their hands on the ability to geo-locate practically any cell phone user at any time? In fact, strictly speaking, it isn’t legal. There is a law known as the Electronic Communications Privacy Act, designed to safeguard consumers from situations such as these. The ECPA, passed in 1986 during concerns about the rising amount of electronic data not subject to anti-wiretapping laws, restricts the ability of telecom businesses to share their data with the government. Unfortunately, there’s a loophole, and it’s large enough for large amounts of data to escape.

Remember, law enforcement agencies weren’t purchasing this location data directly from Verizon or AT&T. By purchasing it through a third party like Securus, LEOs can skirt the legal prohibitions that would normally stop them from obtaining this information. The ECPA only puts hard limits on direct disclosures between telcos and the government. Therefore, this roundabout way of handing over the data remains legal, if potentially ethically dubious.

Government agencies are not the only ones purchasing this data, though, and Securus is certainly not the only business focused on reselling data from cell carriers. In some cases, the uses for the information are completely legitimate and even warranted. In many other cases, though, the opposite is true.

One positive real-world example centers around tracking shipments. Using location data can help to ensure that deliveries arrive on time and that drivers follow the proper delivery routes for fuel efficiency and prompt package arrivals. Banks, too, might want to make use of this information in their sophisticated anti-fraud efforts.

Consider this example: you make a purchase with your credit in your hometown in the morning on your way to work. Just a few minutes later, the same card number shows up in a transaction that takes place 100 miles away. If the bank can cross-reference your cellphone location records to the places where these transactions took place, they can make a smart assessment of the risk of fraud. In this example, they could stop the transaction and alert you to the fact that someone may have stolen your card number.

But not all examples are positive, though. Some companies, for example, could use your location data to send you a text message when you visit a rival store. Perhaps they want to offer you a coupon or encourage you to check out their new products — but if you wanted to go there, you’d have picked them first! Unfortunately, marketers don’t seem to consider how they’d feel about their own personal data being used in this way; efforts like this are underway in a variety of industries. The true scope of how much this location data is sold and shared is hard to know, and it’s difficult to speculate how many have legitimate versus not so legitimate uses for the information. It’s one thing that this info is even for sale — but wait till you find out how some companies handle, or as the case may be, mishandle the data.

LocationSmart Leaked Location Data for All Major US Carriers

As if it wasn’t already bad enough that your location data is often for sale without your knowledge, it turns out one of the biggest purveyors of that information hasn’t been following good security practices, either. As it turns out, Securus wasn’t actually purchasing data directly from cell carriers, either. They were using another intermediary, known as LocationSmart, one of the biggest companies receiving and reselling user location data. Well, LocationSmart seems to have had a large bug present on their website — and that bug would allow literally anyone who wanted it the opportunity to gain real-time access to highly precise location data for mobile devices within the United States. No password, no username, no authorization—it was available right there on the site!

How could such a glaring oversight exist? The problem was rooted in a demo version of LocationSmart’s tracking abilities that was available publicly on the Internet. The purpose: provide prospective clients with a chance to try it out on themselves to experience to see the accuracy firsthand before choosing to make a purchase. All one had to do was plug in their name, email address, and phone number. LocationSmart would then send a text message to the device requesting permissions to check their location. Once granted, LocationSmart would ping the cell tower nearest to their device and receive their location back promptly.

A security researcher based out of Carnegie Mellon University uncovered the bug in question hiding in this demo. With a “minimal” amount of knowledge about how websites work, the researcher claimed, one could manipulate the demo to repeatedly request pings on any mobile device without ever requesting permission from that device’s owner. Over several days of testing, researchers were able to confirm the method worked. Some tests even revealed that multiple pings were accurate enough to track a user’s movement over time, and others showed that the service worked for a user in Canada as well.

With no authentication necessary to trigger this bug, and no consent from the user, it could have allowed anyone with the right knowledge to spy on someone else’s location through their phone. The worst part of this demo: it’s been a part of LocationSmart’s website since at least January 2017, meaning it has been leaking this data for well over a year at this point. When well-known researcher Brian Krebs brought the situation to LocationSmart’s attention, they quickly disabled the demo and removed it from their website altogether.

While it’s good news to see the company respond quickly, the lax handling of such sensitive data for so long surely raises other questions about how they manage the information they hold. For now, though, their services remain in the clear, legally speaking, and with no clear evidence of problems caused by the leaky demo, the fallout has been minimal. Even so, it’s a shocking example of a common lapse in security on the web.

Parental Controls Gone Wrong: Apps Expose Passwords

Way back in Episode 69 of The Checklist, one of the topics we covered focused on apps that can allow parents to track their kids. For some families, this may seem like an investment in safety and an opportunity to keep tabs on where their children go, though we did not recommend this type of software during our discussion. As it turns out, these programs can be a potential weak point when it comes to safeguarding your information. Recently, one of the main companies providing this type of service to parents everywhere was exposed for not properly handling user information. As it turns out, while they built their business model on keeping track of kids, they were no good at keeping track of their own security efforts.

Called TeenSafe, the app bills itself as a way for parents to exercise an enormous amount of oversight on their children by viewing text messages, current device location, when and to whom they make phone calls, what apps they have installed, and even the websites they visit on their phone’s browser. Rather than relying on a jailbreak as some apps, TeenSafe instead pulls all its data out of iCloud backups — which means iCloud needs to be enabled on the device. Parents must also disable two-factor authentication to allow the app to work.

In other words, parents would need to give the app their child’s iCloud account username and password. They’d also need to disable an important security feature to do their snooping. Since we’re reporting on this story on The Checklist, you already know something must have gone wrong—so what happened?

Robert Wiggins, an independent security researcher, was probing this particular type of software when he uncovered two highly leaky servers used by TeenSafe. While one of these machines appeared only to contain test data used by the company to develop its services, the other server held customer records — nearly 10,000 in number. So, what did Wiggins have to do to break in to these servers to see the information? Nothing! There was no breaking and entering or clever hacking going on here. Instead, TeenSafe left the servers entirely unsecured. Anyone with the right idea about where to look could have accessed their info without ever being asked for a password or a username.

Once Wiggins began examining the data, he realized TeenSafe was leaking some very sensitive information indeed. Contained on the live server was a treasure trove for potential bad guys: the parent’s email address, the child’s Apple ID email address (which works as the iCloud login), the child’s registered device name, and its unique identifying number. Of course, it wouldn’t be a Checklist story without the cherry on top: TeenSafe stored the child’s Apple ID password in plain text!

With no two-factor authentication, anyone who accessed this server would have everything they need to log into an iCloud account and leave no trace behind. The only potential silver lining about this story is the fact that TeenSafe did not store other sensitive iCloud data, such as the photos, messages, or location data tied to the phone. Even so, this represents a massive lapse in security on multiple levels. From leaving the servers wide open to not hashing the passwords, this is a big entry in the “security fail” column.

Now is a good time to reiterate a point we touched on during our list discussion of monitoring software such as TeenSafe. During that talk, we talked about how it’s always a bad idea to provide a third party with your Apple ID and password. How can you trust that they will use it safely or appropriately? The TeenSafe fiasco is the perfect example of both the pitfalls of this software and of handing out your Apple ID to other parties.

Comcast Drops the Ball: Xfinity Site Leaks User Info

Mobile phone users aren’t the only ones coping with a multitude of data leaks, though. Is Comcast Xfinity your Internet service provider? Congratulations — you get to join in on the fun and games, too!

As part of the basic setup process for new Xfinity routers, Comcast operates a website where users can plug in the right numbers and activate the modem. This is commonly the case for a new installation, or when you transfer your service from one location to another. Can you guess the problem we’re about to discuss? That’s right: the website had a bug, of course, and with the right steps, someone could have forced the website to give up sensitive information on the customers. It was a simple thing to do, too: all you needed was the ID number for a customer account and that customer’s house or apartment number.

Wait a minute — you might ask — that’s all? It’s true. While the website asked for the full address, it appears the input was not properly validated, and so all that was truly required was the number in the address. In other words, a determined attacker who had an ID number, but no address could simply brute force the field until it found the number that worked. Once successfully gaining access, the attacker would receive the following information:

• The router’s complete physical address
• The name of the Wi-Fi network (potentially valuable information for an attacker)
• The Wi-Fi network’s password, stored in plaintext

Worse still, activating your router wouldn’t close any doors to the bad guys. The bug remained available to exploit indefinitely after activation, so there would be nothing to stop a malicious hacker from exploiting the form at any time to gain Wi-Fi network names and passwords. With that information — if they were able to get in physical range of the modem — they could log in to the network and snoop through the unencrypted network traffic at will. While this might not be something that would happen to the Average Joe, it could be a serious leak if someone wanted to target specific individual. The bad guys could even use a tool built-in to the page to rename the Wi-Fi network and changes its password — locking out the legitimate users on the network!

The good news: Comcast has already acted, and the buggy web tool has since been disabled. Even so, it shows that massive, multi-billion-dollar corporations are just as vulnerable to poor practices and simple mistakes as the maker of a parental control app. While it’s positive that Comcast moved swiftly to make amends, the reality is this bug should never have made it into the wild to start.

Leaks, breaches, and hacks — it seems like our information is under assault from every angle these days. That’s why it’s so important to take the time to keep up to date on the news and stay informed about what’s going on, so you can empower yourself to demand change or make smart choices. With that, we conclude today’s discussion on The Checklist, although this certainly won’t be the last time we discuss leaky sources of digital data.