More than 500,000 Passwords of Car Tracking Devices are Hacked

The Kromtech Security Center lately got over half a million reports belonging to SVR Tracking, an organization that concentrates in “vehicle recovery,” openly accessible online. SVR presents its clients with throughout-the-clock surveillance of cars and trucks, just in the cause, those vehicles are pulled or stolen. To do “constant” and “live” updates of a vehicle’s position, a tracking device is connected in a discreet location, about a prescribed driver isn’t likely to notice it.

According to SVR’s website, the tracking unit provides “continuous channel tracking, every two minutes when moving” and a “four-hour moment when stopped.” Basically, throughout the car has been in the past 120 days should be available, so long as you have the correct login credentials for SVR’s app, which is downloadable for desktops, laptops, and most any mobile device.

Kromtech discovered SVR’s data in an openly accessible Amazon S3 bucket. It included data on roughly 540,000 SVR accounts, including email addresses and keys, as well as some license plates and vehicle license numbers (VIN). There were half a million works overall, Kromtech said, “but in some cases, credentials were presented for a record with several vehicles connected with it.”

The SVR keys were stored using a cryptographic hash use SHA-1, though one that’s 20 years old and with known defects. Simple passwords saved using this function are likely to be answered with ease. The CynoSure team, for instance, recently announced having broken all but 116SHA-1 hashes from a group of over 319 million passwords published in hash form by Troy Hunt, founder of the website Have I been pwned?

As usual, it’s hard to say for how long precisely the data was actually displayed. In the case of Amazon S3 buckets, only Amazon and the bucket’s master can say for sure, and usually, that’s not information either is willing or eager to share.

“The overall amount of devices could be much higher given the fact that many of the resellers or customers had large numbers of machines for tracking,” said Kromtech’s Bob Diachenko. “In the age where crime and technology go aid in aid, imagine the possible danger if cybercriminals could find out where a car is by logging in with the data that were openly available online and steal that car?”

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients