yoshitaka272 - Fotolia
A company accused of providing mobile location data to law enforcement without warrants has been hacked, exposing data on its customers.
A hacker breached Securus Technologies, a U.S. prison phone service provider based in Carrollton, Texas that can also track almost any mobile device in the country via data obtained from wireless carriers like Verizon, AT&T, T-Mobile and Sprint. The Securus hack exposed usernames, email addresses, phone numbers and passwords for the company's customers, according to data obtained by Motherboard.
The hacker supplied some of the breached data to Motherboard for verification, including a spreadsheet labeled "police" that listed data on 2,800 Securus customers from sheriff's departments, local counties, and city law enforcement agencies dating back to 2011. The passwords in the Securus hack database were hashed with MD5, an algorithm known to be insecure since 2010.
The report of this Securus hack has raised scrutiny of the company's security practices: A user manual on the site uses real personally identifiable information rather than fake data, and passwords appeared to have been hashed using the deprecated MD-5 hashing algorithm. This was also not the first time Securus was hacked.
Past Securus hack and more
In 2015, The Intercept obtained 70 million records of phone calls placed through Securus by prison inmates that included links to download recordings of the calls. At least 14,000 of those phone calls appeared to be between inmates and their lawyers, potentially violating attorney-client privilege.
Last week, Securus came under fire after it was discovered that it was providing law enforcement with mobile location data provided by major U.S. carriers using the system that is supposed to be reserved for marketers. Wireless carriers allegedly provided location data to LocationSmart, a "location-as-a-service company" based in Carlsbad, Calif., which then provided the data to Securus.
Around the time of the Motherboard report about the Securus hack, Robert Xiao, a security researcher at Carnegie Mellon University, found a demo tool on the LocationSmart website, which he said allowed anyone to search for mobile number location data without any login or user authentication, according to a report by Brian Krebs.
EFF staff attorney Andrew Crocker told Motherboard that Securus enabled tracking of mobile devices using near real-time location data for law enforcement authorities without first being served a warrant. On its website, Securus openly markets its ability to "track mobile devices even when GPS is turned off," and provide "call detail records providing call origination and call termination geo-location data."
Senator Rob Wyden (D-Ore.) wrote letters demanding the FCC investigate this location tracking and asking carriers to provide records of what companies have access to this data.
Daniel Nazer, senior staff attorney at the Electronic Frontier Foundation, wrote on Twitter that Securus only "puts up a pretense of being a technology company."
Securus is one of those companies that gets away with gross incompetence because it's in the business of getting the government to let it gouge people. https://t.co/jP2zIDT56W— Daniel Nazer (@danielnazer) May 16, 2018
Neema Singh Guliani, legislative counsel, and Nathan Freed Wessler, staff attorney for the ACLU, wrote that major cellular carriers have teams dedicated to review warrants and law enforcement requests to determine if they are "improper or overbroad."
"However, major phone carriers appear to have allowed Securus to bypass these procedures. Government investigators contracting with the company upload documentation justifying a request for cell phone location data to Securus' system," Guliani and Wessler wrote in a blog post. "Securus, functioning as a middleman, pays other middlemen, who then pay major telecommunications carriers for the location information."