A hacker was able to compromise accounts belonging to two GPS tracker apps and monitor their locations and even turn off the engines.
The apps were used by companies to locate and manage vehicles through GPS tracking devices.
Hacker said that by reverse engineering he found that all the customers were given 12345 as the default password when they sign up and he brute forced million of usernames via apps API.
He created a script to login using these usernames and default password and was able to hack into thousands of accounts and steal data from them.
Hacker was able to extract data such as name and model of the GPS tracking devices they use, unique ID numbers (IMEI number), usernames, real names of users, phone numbers, email address and physical address.
Hacker also said he discovered a stop engine feature in some vehicle which allows to turn off the engine while the vehicle is in motion.
“I can absolutely make a big traffic problem all over the world, I have fully [sic] control hundreds of thousands of vehicles, and by one touch, I can stop these vehicles engines.”
Motherboard confirmed it with the makers of one of the hardware GPS tracking devices used by ProTrack and iTrack. Some customers can turn off their engines remotely using the apps if vehicles are going under 20 km/h.
L&M said that he was able to compromise more than 7,000 accounts in iTrack and more than 20,000 accounts in ProTrack, track vehicles situated in countries such as South Africa, Morocco, India, and the Philippines.
L&M has notified both ProTrack and iTrack about the issue. The company has responded by asking the customers to change their default passwords.
The Motherboard was able to confirm the authenticity of the data sample given by L&M by speaking to four users included in the data sample provided by L&M
“My target was the company, not the customers. Customers are at risk because of the company. They need to make money, and don’t want to secure their customers,” said L&M to Motherboard in an online chat.
You may be interested in reading:Researchers Discovered New Victim of Powerful Triton Malware