Connect with us

News

A hacker broke into a bunch of car GPS systems and had the ability to shut off the engines

This is why default passwords need to die.

cars on the highway using gps
Image: Unsplash

Well, this is horrifying. Two GPS tracker apps have had thousands of user accounts breached by a hacker, who could then monitor the locations of tens of thousands of vehicles, with the option to turn off the engine of some while they were still in motion.

The hacker, who goes by the handle L&M, contacted Motherboard to talk about the breached accounts, stressing that while they had the ability to turn off engines, they didn’t do so. They got into over 7,000 iTrack accounts, and more than 20,000 ProTrack accounts through one simple brute force method – using the apps APIs to siphon off usernames, while access was granted by the default password given on sign-up, 123456.

Then it was just a matter of putting a simple script together to test all the username/password combinations to see which ones let them in

Once in, they were able to track fleets of vehicles in a handful of countries, such as South Africa, Morocco, and the Philippines. Some vehicles in the fleets had remote kill switches, giving them the option to remotely disable the vehicle, provided they were either stopped or driving less than 12 mph.

Putting aside the blatantly huge security hole that these two companies left open, why is anyone still using the default passwords in 2019? It should be standard operating procedures for any company on receipt of a new app/tool/hardware/etc to change the default passwords to a more secure one. The whole point of GPS tracking apps for company fleets is to increase security, not to give a backdoor to the whole fleet.

Conceivably, a malicious attacker could have tracked armored cars with cash and other valuables in them, or companies that carry other valuable cargo

It would have then been trivial to disable the vehicles and pull off a heist. Thankfully the hacker who breached these GPS tracking companies wasn’t interested in damaging their customers, saying they wanted to “target the company, not the customers.”

Both GPS tracking app companies have now prompted users to change their passwords, although they stopped short of forcing a password reset.

Ethical hacker: 2 – GPS tracker companies: 0

Are you surprised by this? Does this make you worried about the future of supposed smart cars? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Maker, meme-r and unabashed geek. Hardware guy here at KnowTechie, if it runs on electricity (or even if it doesn't) I probably have one around here somewhere. My hobbies include photography, animation and hoarding Reddit gold.

Comments
Advertisement

More in News