SVR Tracking failed to protect passwords and other sensitive data on an AWS S3 bucket, causing over a half million vehicle tracking devices to be exposed to the public, the CSO informs.
Login credentials and other sensitive data from more than a half million vehicle tracking devices, which continually pinpoint vehicles’ locations, were left unprotected online. The exposed records belonging to SVR Tracking, headquartered in San Diego, were discovered by Kromtech security researchers.
Thanks to a misconfigured Amazon Web Services (AWS) S3 bucket, 540,642 account IDs, which included logins, were leaked online. However, Kromtech suggested the actual number of devices tied to those accounts could be “much larger, given the fact that many of the resellers or clients had large numbers of devices for tracking.”
The unprotected data also included VIN numbers, email addresses, hashed passwords, IMEI (International Mobile Equipment Identity) numbers of the GPS devices and other collected data on customers and the 427 auto dealerships that use the tracking services.
The SVR tracking devices are supposed to help auto dealers or other customers “locate and recover their vehicles with live, real-time tracking, and provide stop verification, enabling them to determine potential locations for their vehicles.” SVR Tracking added, “Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”
Since SVR Tracking services are reportedly handy for making repossessions easier, the device is hidden somewhere on the vehicle. However, Kromtech noted that the exposed database also included information about “where exactly in the car the tracking unit was hidden.”
A satellite locates the tracking devices and sends the information to SVR Tracking’s servers via the General Packet Radio Service (GPRS) data network. Kromtech added, “In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?”
The devices’ tracking capabilities sound creepy. Some of the features include “continuous tracking every two minutes when moving” and a “four-hour heartbeat when stopped.”