Thousands of Passwords for Vehicle GPS Leaked
The login credentials and other potentially sensitive personal information from more than 500,000 vehicle tracking devices were leaked online, likely as a result of insufficient protection of the data. The records belonged to SVR Tracking, and their exposure was discovered by security researchers from Kromtech.
According to these researchers, the leak happened because of a mistake in an Amazon Web Services (AWS) S3 bucket. As a result, a total of 540,642 account IDs and passwords were leaked. Kromtech said in its report that the total number of devices affected could actually be quite larger, as many clients or resellers were using large numbers of devices for tracking purposes.
The information at risk included VIN numbers, hashed passwords, email addresses, International Mobile Equipment Identity (IMEI) numbers of each GPS device and other information collected about 427 auto dealerships selling these tracking services and the customers who purchased them.
About the compromised SVR tracking devices
SVR’s tracking devices are meant to help auto dealerships and customers locate and recover vehicles almost immediately thanks to real-time tracking functionality and provide stop verification, ultimately helping them find potential locations for their cars. An alert will tip off an owner, making him or her aware of specific events of interest. The dashboard in the application then offers real-time vehicle data and graphs that allows for more accurate measurements of the vehicle’s activity.
These devices are often imperative in repossessions, and so with this in mind, the GPS tracker is usually hidden on the vehicle so it cannot be easily removed. However, Kromtech’s report about the security breach mentioned that the database that was leaked contained information about where the tracking unit is hidden in the vehicle.
How exactly does the device work?
In the simplest explanation, a satellite finds the tracking device and then relays its information to SVR Tracking’s servers through the General Packet Radio Service (GPRS) network.
The software will track the car’s movements as far back as 120 days. It will create a map of all the places a driver has visited. Anyone who has login credentials is able to view the top stops, or other locations where the driver has stopped the vehicle.
The technology is obviously quite useful for many purposes for dealerships and car owners. However, if cyber criminals are able to break into the networks that store all the credentials to access these devices, these criminals could easily figure out where a specific car is located so they can steal it.
This is a constant risk one must consider as we become more reliant as a society on these types of technologies, which feature satellite and internet technology. What sensitive information are we willing to potentially have exposed to the public?
It will be interesting to see the types of security measures that arise in response to this issue, and how Amazon Web Services will work to prevent these types of breaches from occurring in the future.
For more information about this and other issues related to GPS technologies, contact our GPS tracking service today.
Categorised in: GPS Tracking Service
This post was written by Malcolm Rosenfeld