Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps
"I can absolutely make a big traffic problem all over the world," the hacker said.
[. . . . ] The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower [ . . . . ]
By reverse engineering ProTrack and iTrack's Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up. [ . . . ] At that point, the hacker said he brute-forced "millions of usernames" via the apps' API. Then, he said he wrote a script to attempt to login using those usernames and the default password.
[ . . . ] the hacker has scraped a treasure trove of information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices' unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses.
[ . . . . ] ProTrack denied the data breach via email, but confirmed that its prompting users to change passwords. [ . . . ] "Our system is working very well and change password is normal way for account security like other systems, any problem?" a company representative said.
That default password should have been ROT13 encrypted.
(Score: 2) by ledow on Thursday April 25, @09:48AM
Which, I have to say, is why my GPS tracker can only send and receive text messages and doesn't have all this "account" nonsense.
Move my car, I get a text with the GPS location (and can get that in a Google Maps link format, without any information going to Google otherwise).
If I think it's stolen, I can text my car and it'll cut the fuel pump.
If I think it's on the move and I want to chase it, I can set it to data-mode and it'll live-stream a series of NMEA sentences to my own server (literally, you have to specify the server name and run something like netcat on a given port, or nothing happens, and it needs you to plug in the data-details for that to work anyway, plus I can see any time it tries to do that - never unless asked - via the SIM-provider's billing).
If I ring the number, from the right phone, and type in the right password, it'll put me through to an optional mic (if fitted) and let me listen to the sounds from that mic.
Authentication of all commands by *incoming* telephone number, and by password.
Why do you need a cloud service / third-party accounts in the middle? I've never used the live-stream thing (I set it up out of curiosity). The Google-map link is perfectly adequate, and there's an command to just get the position if you want to plug it into some other program (actually, as it stands, the link opens in either my Copilot, or inside a direction-tracking app on my phone).
P.S. my box cost me about £25 on Amazon and took no time at all to fit, and even if you're not car-savvy, a garage would do it for you in no time at all - it even came with all the relays.
(Score: 0) by Anonymous Coward on Thursday April 25, @10:04AM (1 child)
Client certificates are not new. Why are idiots still using passwords for this stuff?
(Score: 1, Insightful) by Anonymous Coward on Thursday April 25, @10:28AM
Because security takes effort.
Option 1) You have to employ someone who knows about security and who can foresee these types of problems. Then you have to listen to the security person and implement their recommendations. Then you have to contract a second security person to try to poke holes in the implemented security. And then you to fix whatever number two found.
Option 2) Or, you can set a default password that you wouldn't even use for your luggage and hope someone else takes the heat if/when the shit hits the fan.
We all know which choice the vast majority of companies make.
(Score: 4, Touché) by Pslytely Psycho on Thursday April 25, @10:15AM
https://www.youtube.com/watch?v=AoB_mdZxNlY [youtube.com]
Is it just a matter of time before mindless movie fun become deadly reality?
Nah, car makers, just like IOT device makers, are far too careful about security.
Ok, that last line took three tries to type correctly through all the giggling.
