Apr 25, 2019 14:00:00

Hundreds of thousands of accounts using the vehicle tracking app could be hacked and the engine could be shut down remotely

by

Life Of Pix

Companies that need to manage the operation of many vehicles, such as carriers, may use GPS based car tracking applications. Some of these apps have the ability to turn off the vehicle's engine. It has been revealed that a hacker succeeded in hacking a total of 30,000 accounts using this type of app, and the danger has been pointed out.

Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps-Motherboard
https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps

The hacker calling himself L & M for Motherboard of technology-based media, more than 7000 of the iTrack account and more than 20,000 ProTrack was said to have hacked the account. Both are apps that allow companies to monitor and manage vehicles through GPS tracking devices, and L & M has been able to track vehicles used in countries such as South Africa, Morocco, India, and the Philippines.

The screen shot below is a vehicle tracking screen of the app sent by L & M to Motherboard. The location is Morocco, and it can be seen that the location of many vehicles is obvious by the GPS tracking device.

In addition to tracking the position of the vehicle, the app can also stop the engine of a vehicle traveling at a stop or under 20 km / h. Rahim Luqmaan, owner of Probotik Systems, a South African company using ProTrack, told Motherboard's phone line that 'hackers can mess up us and our customers' and the dangers I admit.

L & M also mentions this engine shutdown feature and says, 'It can also cause major traffic problems around the world.' However, it is dangerous to stop the engine from the remote control without permission, so it seems that L & M has never used this function.

When

reverse engineering against iTrack and ProTrack, L & M noticed that all users were given the password '123456' by default when registering their account. So we wrote a script that tries to log in with any username and '123456' combination using the API, and succeeded in breaking into the account that was used without changing the password.

According to Motherboard, L & M has acquired the name and model of the GPS tracking device, unique IMEI number, registered user name, real name, phone number, email address, personal information such as address, etc. of the samples actually provided. It was reported that four out of four were contacted and the data was confirmed to be genuine.

by

Oleksandr Pidvalnyi

About L & M's motivation for hacking, 'My target is the company that developed the app, not the app's users. The users are at risk because of the weak security company,' selling the app He stated that there is a problem with companies that are profitable but have low security.

ProTrack was developed by iTryBrand Technology based in Shenzhen , China, and iTrack was developed by SEEWORLD based in Guangzhou . Both companies sell tracking devices and cloud platforms, and the apps appear to share basic code.

ProTrack and iTrack have contacted users in late April 2019 asking them to change their password. For Motherboard interviews, ProTrack commented 'It is normal to prompt for a password change', and denied that the data was leaked. I did not get any comments from iTrack.

by Mikechie Esparagoza