A hacker broke into a bunch of car GPS systems and had the ability to shut off the engines
This is why default passwords need to die.
Well, this is horrifying. Two GPS tracker apps have had thousands of user accounts breached by a hacker, who could then monitor the locations of tens of thousands of vehicles, with the option to turn off the engine of some while they were still in motion.
The hacker, who goes by the handle L&M, contacted Motherboard to talk about the breached accounts, stressing that while they had the ability to turn off engines, they didn’t do so. They got into over 7,000 iTrack accounts, and more than 20,000 ProTrack accounts through one simple brute force method – using the apps APIs to siphon off usernames, while access was granted by the default password given on sign-up, 123456.
Then it was just a matter of putting a simple script together to test all the username/password combinations to see which ones let them in
Once in, they were able to track fleets of vehicles in a handful of countries, such as South Africa, Morocco, and the Philippines. Some vehicles in the fleets had remote kill switches, giving them the option to remotely disable the vehicle, provided they were either stopped or driving less than 12 mph.
Putting aside the blatantly huge security hole that these two companies left open, why is anyone still using the default passwords in 2019? It should be standard operating procedures for any company on receipt of a new app/tool/hardware/etc to change the default passwords to a more secure one. The whole point of GPS tracking apps for company fleets is to increase security, not to give a backdoor to the whole fleet.
Conceivably, a malicious attacker could have tracked armored cars with cash and other valuables in them, or companies that carry other valuable cargo
It would have then been trivial to disable the vehicles and pull off a heist. Thankfully the hacker who breached these GPS tracking companies wasn’t interested in damaging their customers, saying they wanted to “target the company, not the customers.”
Both GPS tracking app companies have now prompted users to change their passwords, although they stopped short of forcing a password reset.
Ethical hacker: 2 – GPS tracker companies: 0
- Walmart is testing an AI-powered superstore in New York
- Lyft will get you to the grocery store in more cities for just $2.50, roughly
- Verizon opens up pre-orders for Samsung’s Galaxy S10 5G, plus a 20-city 5G rollout
- AT&T says it will be shipping out Samsung’s Galaxy Fold in mid-June
- You’ll soon be able to return your Amazon orders to Kohl’s stores nationwide