Over 500,000 car tracking devices’ passwords accidentally leaked due to misconfigured cloud server
In yet another case of an accidental data leak, login credentials of over 500,000 car tracking devices were freely exposed due to a misconfigured cloud server. The data came from SVR Tracking, which is a firm that claims to specialise in “vehicle recovery.”
SVR allows its customers to track their vehicles round the clock, so they can monitor and recover them in case their vehicle has been stolen. The firm attaches a tracking device to a vehicle in a discreet location, so if the vehicle is stolen, an unknown driver would have no knowledge of it being monitored.
According to researchers at Kromtech Security, who discovered the breach, the data exposed included SVR users’ account credentials, such as emails and passwords. Users’ vehicle data, including VIN numbers and licence plates were also freely exposed. The data was exposed via an insecure Amazon S3 bucket.
“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden,” Kromtech researcher Bob Diachenko said in a blog.
SVR’s car tracking device monitors everywhere a vehicle has been for the past 120 days, which can be easily accessed by anyone who has access to users’ login credentials.
The insecure Amazon S3 bucket has been secured, after Kromtech reached out to SVR and notified them about the breach. It still remains unclear as to how long the data remained freely exposed. It is also uncertain whether the data was possibly accessed by hackers.
“In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publically available online and steal that car? The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking,” Diachenko said.