A hacker has broken into the servers of Securus, a company that allows law enforcement to easily track nearly any phone across the country, and which a US Senator has exhorted federal authorities to investigate. The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus’ law enforcement customers.
Although it’s not clear how many of these customers are using Securus’s phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals.
“Location aggregators are—from the point of view of adversarial intelligence agencies—one of the juiciest hacking targets imaginable,” Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.
Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.
The hacker who breached Securus provided Motherboard with several internal company files. A spreadsheet allegedly from a database marked “police” includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year. A hash is a cryptographic representation of a piece of data, meaning a company doesn’t need to store the password itself. But the hashes themselves were created using the notoriously weak MD5 algorithm, meaning attackers could learn a user’s real password in many cases. Indeed, some of the passwords have seemingly been cracked and included in the spreadsheet. It is not immediately clear if the hacker that provided the data to Motherboard cracked these alleged passwords or if Securus stored them this way itself.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others. The data also includes Securus staff members, as well as users with personal email addresses that aren’t explicitly linked to a particular government department.
Motherboard verified the data by using Securus’ website’s forgotten password feature. When typing in a gibberish email address, the site returned an error. But when presented with a username and email address from the hacked data, the site progressed to the next stage of the password reset process, confirming that those credentials are stored within Securus’ systems. Every set of credentials Motherboard tested was successful. Securus also confirmed a set of data had been "unlawfully accessed."
"While our forensic investigation continues, evidence at this point indicates that impacted data is a very limited scope of administrative user account information," Securus' statement to Motherboard reads. "We intend to provide law enforcement authorities with the details from our investigation and ask for aggressive prosecution when warranted," it added.
It is not totally clear how many of these users have access to Securus’ phone location service. But other parts of the data indicate that many of the users are likely to be working in prisons: some of the users’ roles are marked as “jail administrator,” “jail captain,” and “deputy warden.” On its website, Securus markets its “Location Based Services” product to prisons so staff can know where inmates are calling.
“Track mobile devices even when GPS is turned off,” the Securus website reads. “Call detail records providing call origination and call termination geo-location data,” it adds. This is the same product that is being abused by some law enforcement officials. In a statement, Securus told Motherboard it had found no evidence that the stolen information is related to the Location Based Services product, but out of an abundance of caution it had disabled access to the location data for the time being.
“Securus was enabling tracking without a warrant and allowing users of their system to claim authority to do so without checking it. That’s a problem,” Andrew Crocker, staff attorney at campaign group the Electronic Frontier Foundation told Motherboard in a phone call. “A concern with any system is if it’s not limited to authorized users who have the authority to engage in surveillance, then it’s doubly problematic.” In other words, a hacker gaining access to a list of Securus users and their login details could be particularly dangerous.
Read more: Motherboard’s Security Tuneup
The hacker explained to Motherboard how they allegedly obtained the data, and from that account, it appears the hack was relatively simple. And a hack of Securus was also the basis for a previous 2015 investigation from The Intercept, which included 70 million prisoner phone calls.
But this latest data breach is not the only sign that Securus is careless with sensitive information. Rid pointed Motherboard to a Securus user manual available online. One part shows a map and user interface for a Securus product, but instead of populating the screen with fake data for demonstration purposes, the guide appears to include the real name, address, and phone number of a specific woman. (Motherboard confirmed the details with those in online databases, as well as a media report that mentions the woman).
“The PII [personally identifying information] exposure in the (still) public user guide raises one question: does Securus have the culture and the procedures in place to protect sensitive PII? The answer appears to be no,” Rid told Motherboard.
Senator Ron Wyden, who sent letters to major telcos and the FCC pushing for more answers around Securus before the New York Times’ piece, told Motherboard in a statement that “If this account is true, it demonstrates, yet again, that Securus is failing cybersecurity 101, in total disregard for the privacy of the Americans whose communications and private data it should be protecting. This incident is further evidence that the wireless carriers and FCC need to step up and do much more to ensure that Americans’ location information and other personal information isn’t sold to companies like Securus that have demonstrated that they simply don’t care about cybersecurity.”
Jason Koebler contributed reporting.
Update: This piece has been updated to include extra context around another Securus data breach reported by The Intercept, and more information from a Securus statement.