UPDATE 1-FCC investigating reports website flaw exposed mobile phone locations

David Shepardson

locations@ (Adds LocationSmart, AT&T, Verizon reaction, background, New York Times report)

WASHINGTON, May 18 (Reuters) - The U.S. Federal Communications Commission said on Friday it was referring reports that a website flaw could have allowed the location of mobile phone customers to be tracked to its enforcement bureau to investigate.

A security researcher said earlier this week that California-based LocationSmart data could have been used to track AT&T Inc, Verizon Communications Inc, Sprint Corp and T-Mobile US consumers without consent within a few hundred yards of their location.

Senator Ron Wyden, a Democrat, on Friday urged the FCC to investigate, saying on Twitter a "hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your childs cell phone to know when they were alone."

Researcher Robert Xiao at Carnegie Mellon said a flaw in a demo tool from LocationSmart could have been used to track anyone.

LocationSmart spokeswoman Brenda Schafer said Friday the vulnerability "has been resolved and the demo has been disabled."

Prior to Xiao's efforts that included locating up to two dozen users, Schafer said the company believes no one else exploited the vulnerability. The company is committed to "continuous improvement of its information privacy and security measures," she said.

Last week, the New York Times reported that the former sheriff of Mississippi County, Missouri used Securus Technologies to track mobile phones, including those of other officers, without court orders, citing charges filed against him. Several published reports suggested Securus is getting its data through an intermediary of LocationSmart.

Verizon spokesman Rich Young said Friday the company has "taken steps to ensure that Securus can no longer access location information about Verizon Wireless customers." He added the company has "initiated a review of this entire issue."

AT&T spokesman Mike Balmoris said the company does not "permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action."

Sprint, Securus and T-Mobile did not immediately comment.

Wyden said last week that Securus, a major provider of correctional-facility telephone services, is purchasing real-time location information from carriers and providing information "via a self-service web portal for nothing more than the legal equivalent of a pinky promise."

Wyden wrote all four major mobile carriers, saying the practice "exposes millions of Americans to potential abuse and unchecked surveillance by the government."

(Reporting by David Shepardson Editing by Chizu Nomiyama)