The login details of a company that buys phone location data from major telecom companies have been provided and then sold to the police.
According to information security experts, a hacker broke into the servers of Securus, the company that allows almost any phone to be traced, and that a US senator has urged federal authorities to investigate. The hacker provided stolen data to Motherboard, including unsafe usernames and passwords for thousands of Securus customers.
It is still unclear how many of these customers are using the Securus service; this news is a sign of the lax security of a company that grants exceptional power to monitor people.
“Location aggregators are one of the juiciest hacking targets imaginable,” said Thomas Rid, professor of strategic studies at Johns Hopkins University.
Recently, the New York Times investigation revealed that Securus obtains telephone location data from major telecommunications companies, such as AT & T, Sprint, T-Mobile and Verizon, and then makes this information available to its customers. . The data collection system is usually used by marketing specialists, but Securus provides a product for police forces to track telephones nationwide with little legal oversight.
The hacker provided Motherboard with several internal files of the company. A spreadsheet of a database marked “police”, which includes more than 2,800 user names, email addresses, phone numbers and hash passwords and security questions. The hashes were created using the notoriously weak MD5 algorithm, which means that attackers could obtain a user’s actual password. According to information security experts, some of the passwords have been deciphered and have been included in the spreadsheet. It is not clear if the hacker who provided the data deciphered these supposed passwords or if Securus stored them in this way.
A large number of users in the spreadsheet come from government agencies, including local police departments, local counties and city police. The affected cities include Minneapolis, Phoenix and Indianapolis among others. The data also includes Securus staff members, as well as users with personal email addresses.
Information security professionals verified the data using the forgotten password function of the Securus site. When presented with a username and an email address from the hacked data, the site advanced to the next stage of the password reset process, confirming that those credentials are stored within the Securus systems.
It is not clear how many of these users have access to the Securus telephone tracking service. But part of the data indicates that many users will work in prisons: some of the users are marked as “jail administrator”, “prison captain” and “deputy warden”.
The Securus website says “Track mobile devices even when the GPS is off.” “Call detail records that provide call origination data and geographic location of call termination”. This is the product that is being abused by law enforcement officers.
“Securus allows follow-up without a court order and allows users to claim permission to do so without checking it in. That’s a problem,” said Andrew Crocker, a lawyer with the Electronic Frontier Foundation campaign group. A hacker who has access to a list of Securus users and their login data could be particularly dangerous.
This latest data breach is not the only sign that Securus is careless with confidential information. In the Securus user manual available online, one part shows a map and a user interface for a Securus product, but instead of filling the screen with fake data for demonstration purposes, the guide seems to include the real name, the address and the phone number of a particular woman.
“The PII exposure in the user’s public guide raises a question: Does Securus have the established culture and procedures to protect sensitive PII? The answer seems to be no,” Rid said.