Passwords for 540,642 GPS vehicle tracking devices leaked online

Login credentials and other sensitive data from more than a half million vehicle tracking devices, which continually pinpoint vehicles’ locations, were left unprotected online. The exposed records belonging to SVR Tracking, headquartered in San Diego, were discovered by Kromtech security researchers.

Thanks to a misconfigured Amazon Web Services (AWS) S3 bucket, 540,642 account IDs, which included logins, were leaked online. However, Kromtech suggested the actual number of devices tied to those accounts could be “much larger, given the fact that many of the resellers or clients had large numbers of devices for tracking.”

The unprotected data also included VIN numbers, email addresses, hashed passwords, IMEI (International Mobile Equipment Identity) numbers of the GPS devices and other collected data on customers and the 427 auto dealerships that use the tracking services.

The SVR tracking devices are supposed to help auto dealers or other customers “locate and recover their vehicles with live, real-time tracking, and provide stop verification, enabling them to determine potential locations for their vehicles.” SVR Tracking added, “Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”

Since SVR Tracking services are reportedly handy for making repossessions easier, the device is hidden somewhere on the vehicle. However, Kromtech noted that the exposed database also included information about “where exactly in the car the tracking unit was hidden.”

A satellite locates the tracking devices and sends the information to SVR Tracking’s servers via the General Packet Radio Service (GPRS) data network. Kromtech added, “In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?”

The devices’ tracking capabilities sound creepy. Some of the features include “continuous tracking every two minutes when moving” and a “four-hour heartbeat when stopped.”

Kromtech noted:

The software monitors everywhere the car has been back as far as 120 days, including a terrifying feature that pinpoints on the map all of the places a driver has visited. There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been. There is a “recovery mode” that can pinpoint every 2 min or create zone notifications. They claim to have a 99% success rate on recovery, but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?  

After Kromtech notified SVR Tracking about the breach, the bucket was secured, but otherwise the company didn’t respond to Kromtech. There is a security incident notification on the company’s site. It reads:

While SVR is not in a position to confirm the accuracy of everything reported by others, Kromtech contacted SVR on September 20, at which point we immediately began our own investigation into an incident concerning one of our data repositories. Within 3 hours, SVR fixed the repository configuration vulnerability Kromtech identified. SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers.

Verizon leak

The SVR Tracking breach was announced one day before Kromtech Security researchers announced the discovery of an unprotected AWS S3 storage bucket belonging to a Verizon Wireless engineer. The leak contained about 100MB of data from Verizon’s wireless system called Distributed Vision Services (DVS).

The leaked contained no customer data this time, but it did include confidential and proprietary company data such as usernames and passwords, 129 saved Outlook messages with access and internal communications, as well as admin information that could have potentially allowed access to other parts of the network.

Amazon warned owners of unsecured AWS S3 buckets

Back in July, Amazon reportedly sent an email to users who have publicly accessible AWS S3 buckets. It stated:

By default, S3 bucket ACLs allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available

Users were encouraged to make sure their AWS S3 buckets were configured correctly.