SoylentNews

DannyB [soylentnews.org] writes:

Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps [vice.com]

“I can absolutely make a big traffic problem all over the world,” the hacker said.

[. . . . ] The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower [ . . . . ]

By reverse engineering ProTrack and iTrack’s Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up. [ . . . ] At that point, the hacker said he brute-forced “millions of usernames” via the apps’ API. Then, he said he wrote a script to attempt to login using those usernames and the default password.

[ . . . ] the hacker has scraped a treasure trove of information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices’ unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses.

[ . . . . ] ProTrack denied the data breach via email, but confirmed that its prompting users to change passwords. [ . . . ] “Our system is working very well and change password is normal way for account security like other systems, any problem?” a company representative said.

That default password should have been ROT13 encrypted.

Original Submission