Hacker could locate thousands of cars and kill their engines remotely via poorly-secured GPS tracking apps

Over a relatively short of period of time, computers changed from something you kept on your desk, to something you carried in your pocket, to something you sat inside as you drove to work.

As technology moves on, we’re going to be thinking more and more about mobile computing not being being just the smartphones we carry with us everywhere, but with the vehicles that carry *us* everywhere.

And that’s a problem if security continues to be woefully sloppy.

According to Motherboard reporter Lorenzo Franceschi-Bicchierai, a hacker claims he managed to break into accounts belonging to users of GPS tracker apps, allowing him to monitor the locations of tens of thousands of vehicles, and even granting the ability to turn off the engine of some of them as they were moving.

The hacker, who is only known by the handle “L&M”, says that he hacked into over 20,000 accounts belonging to users of the Protrack GPS app and more than 7,000 iTrack app accounts.

L&M examined the source code of the Android versions of the apps, which allow companies to track their vehicle fleets in real-time, and was shocked to discover that all customers are given a default password upon sign-up.

What default password are they given?

Well, it pains me to say but the apps used the default password “123456”.

Possibly the worst password in the world. Just this week, the UK’s National Cyber Security Centre (NCSC) declared in an advisory about the need for unique, strong passwords that “123456” topped its list of the most commonly used passwords, having been found over 20 million times in data breaches.

L&M says he was able to use that information to send millions of possible usernames through the apps’ API to see if they would be able to log in with the weak default password.

Through this method the hacker was able to scrape information from ProTrack and iTrack customer accounts, including details of the GPS tracking devices they were using, their unique IMEI identification numbers, as well as the names, phone numbers, email addresses and physical addresses of users.

But the risks didn’t just stop at the data breach and the monitoring of vehicle locations. The hacker also claimed he would have been able to turn off the engine of some vehicles when travelling at slow speed (under 20km per hour).

In this way, a malicious attacker could clearly cause a significant problem, as L&M told Motherboard:

“I can absolutely make a big traffic problem all over the world. I have fully [sic] control hundred of thousands of vehicles, and by one touch, I can stop these vehicles engines.”

The two apps, both apparently developed in China, appear to have the same underlying code – which explains why they both suffer from the same catastrophic flaw of using a particularly disastrous default password.

When approached by Motherboard, ProTrack denied that it had suffered a data breach but did acknowledge that it was now prompting users to change their passwords.

It’s just a shame that the apps weren’t built more securely in the first place, rather than a hacker having to raise the alarm about the serious security vulnerability. As more and more businesses race to create internet-connected devices and build cloud-based systems for users to manage their technology it is essential that steps are taken to ensure that security and privacy are treated as a priority.

Firms would be wise to apply some brakes before speeding into shipping insecure apps that could put their customers in peril.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: