SECURITY RESEARCHERS have uncovered a security breach exposing half a million vehicle tracking accounts and details.
Discovered by Kromtech security, the breach reveals information about the customers of US vehicle recovery device and monitoring company SVR Tracking, as well as the physical devices that are attached to the cars.
The exposed data, which includes customer credentials, was unearthed through a misconfigured Amazon AWS S3 bucket that was left publically available, and because it wasn't protected by a password, could allow anyone to pinpoint locations visited by customers of the vehicle tracking firm.
"The repository contained over a half of a million records with logins, passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships," said Bob Diachenko, Kromtech's Chief Communication Officer.
"Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.
In a Backup Folder called "accounts", the data contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more.
Kromtech noted that the car tracking software monitors everywhere the car has been back as far as 120 days, including a somewhat terrifying feature that pinpoints on the map all of the places a driver has visited.
Diachenko added that the actual number of vehicles exposed by the incident may have been far more than half a million, since many of the accounts, which were used by SVR's resellers and clients, include large numbers of tracking devices.
The tracking devices installed by SVR indicate the vehicle's location around the clock, even if it hasn't been reported as missing or stolen, according to the company.
"There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been," added Diachenko. "There is a ‘recovery mode' that can pinpoint every 2min or create zone notifications. They claim to have a 99% success rate on recovery but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?"
Shortly after sending responsible disclosure note, the bucket was secured, however, with no word from the company. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe