Securus Technologies—the company that provides a geolocation service used for cell phone tracking by law enforcement agencies—has been hacked, exposing the usernames and weakly protected passwords of thousands of customers. The person claiming to be responsible for the breach provided some of the data to Motherboard’s Joseph Cox, along with an explanation of how it was obtained. Securus has not confirmed the breach.
Securus, which offers phone services for prisons, began offering location-based tracking to help prisons track where inmates’ calls were actually going to. This allowed prisons to “geofence” areas “associated with illegal activity,” as a redacted Securus brochure posted online by the Electronic Frontier Foundation shows. But that same service can be used to show the location of mobile phones on a map. The service, called GeoLoc, “provides the approximate location of the cellular device being called at both the beginning and the end of the call,” the Securus marketing material states.
But the data Securus uses for GeoLoc can also be used for other purposes—including tracking the location of virtually any cell phone. A Web-based application from Securus, called Securus Call Platform, allows law enforcement officers to log in from a browser and run searches for mobile devices without requiring an outbound call.
As Ars reported on May 12, Securus’ location service extracts information from other data-brokerage services and location-services providers that buy device-location data from mobile providers. These services obtain the data largely for “rich communications services”—location-based advertising services, which allow marketers to send offers and coupons via SMS and MMS texts, mobile Web advertisements, and other applications to customers when they’re near a particular retailer. Location information can be obtained by the cell tower the device is connected to or via Assisted GPS—the technology used by 911 systems to locate cellular callers.
According to Motherboard, the individual who breached Securus’ network provided several files as proof, including a spreadsheet with information from a database named “police.” That file contained more than 2,800 usernames, email addresses, and phone numbers, as well as hashed account passwords. Some of these passwords appeared to have been already cracked, Cox said, while the remainder were MD5 hashes of passwords—though Cox wrote that it wasn’t clear whether the passwords that were in plain text had been cracked or if they had been in plain text to begin with. The MD5 hashing algorithm has long been easy to crack.
Since the application is Web based and the website allows “Anywhere, anytime access to all system controls” for the Securus call system, the usernames and passwords could conceivably be used to gain access to not just device location data but prisoner phone records and other sensitive data. A previous breach at Securus reported by The Intercept exposed data on 70 million recorded prisoner phone calls, including calls between prisoners and their attorneys.