Securus Hacked Again; Passwords, Personal Information, Location Data Compromised
by Matt Clarke
Some readers may recall how a hacker targeted Dallas, Texas-based Securus Technologies, a prison telecom company, resulting in the records of some 70 million phone calls made by over 63,000 prisoners being released on the Internet in November 2015. That incident revealed Securus was recording prisoners’ calls with their attorneys. [See: PLN, Aug. 2016, p.1].
Another hack at Securus in May 2018 resulted in the release of usernames, email addresses, phone numbers, hashed passwords and security questions for 2,800 of the company’s customers – mostly law enforcement officials.
The passwords were hashed using MD5, an algorithm that can be easily defeated by experienced hackers, revealing the real passwords. Further, having the answers to security questions makes it easy for a hacker to establish a new password, effectively locking the legitimate user out while giving the hacker unlimited use of the account.
Equally worrying was the location tracking service that may have been compromised. Securus partners with law enforcement to provide location tracking of cell phones, even if the GPS feature is disabled, without warrants. The company has cellular service providers send signals called “pings” to cell phones and use the phones’ distance from cell towers to determine their location. The service was intended to be used by providers of roadside assistance, but Securus exploited that loophole to make it available to law enforcement. Access to the compromised law enforcement accounts may give hackers access to that service too, and thus the ability to track cell phones.
Some of the hacked Securus accounts were labeled with law enforcement occupational designators such as “jail captain,” “jail administrator” and “prison warden.” Corrections officials regularly use the tracking service to determine the location of the recipients of phone calls made by prisoners.
“If this account is true, it demonstrates, yet again, that Securus is failing cybersecurity 101, in total disregard for the privacy of the Americans whose communications and private data it should be protecting,” said U.S. Senator Ron Wyden, a leader on privacy issues. “This incident is further evidence that the wireless carriers and FCC need to step up and do much more to ensure that Americans’ location data information and other personal information isn’t sold to companies like Securus that have demonstrated that they simply don’t care about cybersecurity.”
Senator Wyden asked the FCC to investigate the practice of providing location data without a warrant, which he called “abusive and potentially unlawful.”
Securus has been so lax with user information that it used actual customer data in screen shots displayed in its training manual.
“Securus is enabling [cell phone] tracking without a warrant and allowing users of their system to claim authority to do so without checking it. That’s a problem,” declared Electronic Frontier Foundation (EFF) staff attorney Andrew Crocker. “A concern with any system is if it’s not limited to authorized users who have the authority to engage in surveillance, then it’s doubly problematic.”
Even absent being hacked, the location tracking service has problems. In May 2018, the New York Times revealed that former Missouri Sheriff Cory Anderson had used the Securus tracking service to unlawfully track other people’s cell phones, including a judge and several highway patrolmen. The Times noted that the tracking service, which was intended for benevolent uses such as locating stranded motorists, lost children and missing Alzheimer’s patients, is easily abused as there is no oversight on how it is used.
Sources: motherboard.vice.com, businessinsider.com, esecutiryplanet.com, gizmodo.com, cyberscout.com