A hacker who has cracked GPS car tracking apps has discovered that he can stop them remotely
“I can create serious traffic problems around the world,” he said.
The hacker hacked thousands of accounts belonging to users of two GPS tracking applications, which enabled him to track the location of tens of thousands of cars and even turn off the engines of some of them on the go.
A hacker named L&M told Motherboard that he hacked over 7,000 iTrack accounts and over 20,000 ProTrack accounts , applications that companies use to track and manage their fleets using GPS. The hacker was able to track cars in several countries around the world, including South Africa, Morocco, India and the Philippines. For some cars, the software allows you to remotely turn off the engines, while the car should stand or move no faster than 20 km / h, depending on the manufacturer of certain GPS-tracking devices.
After reverse engineering applications for Android ProTrack and iTrack, L&M, he said, realized that when registering, all clients were given the same default passwords, 123456.
And then the hacker was able to easily find “millions of user names” using the application API. He then wrote a script that tries to log into accounts using the found usernames and default passwords.
This allowed him to automatically crack the thousands of accounts that used the default password and extract data from them.
According to a sample of user data that L&M shared with Motherboard, the hacker did collect a wealth of information about ProTrack and iTrack clients, including: the name and model of the GPS beacon, unique IDs (known as IMEIs), usernames, their real names, phone numbers , emails and home addresses. L&M said it could not extract all this information for each user; for some, information was only partially received.
The editors were able to confirm the reality of the hack by talking with four users from the L&M sample. Interviewees confirmed the accuracy of the information provided by the hacker.
“I aimed at the company, not at the customers. Customers are at risk due to company actions, L&M editors said in a chat. “They need to earn money, and they do not want to protect their customers.”
Screenshot using a hacked user account of one of the users
L&M also said that it can do much more than just track user machines. “I can create serious traffic problems around the world,” he said. “I have full control over hundreds of thousands of cars, and with one touch I can stop their engines.”
However, the hacker said he had never shut down a single engine, as that would be too dangerous. And although the hacker did not prove his ability to turn off the engine, a representative of Concox, a manufacturer ofone of the devices used by some ProTrack GPS and iTrack users confirmed to the editors that customers can really turn off their engines remotely if the car travels slower than 20 km / h.
The application has the ability to "stop the engine", according to the screenshot provided by the hacker.
Rahim Luckman, the owner of Probotik Systems, a South African company using ProTrack, told the editorial staff that ProTrack can be used to stop engines if a technician turns this feature on when installing a GPS beacon. “And that makes the situation even more dangerous,” Luckman said about the data leak. “It really can create confusion for our customers and users.”
ProTrack is supported by iTryBrand Technology from Shenzhen, China. iTrack is supported by SEEWORLD from Guangzhou, China. Both companies sell tracking devices and cloud services to both individuals and software and device distributors. L&M said it hacked the accounts of some distributors, which allowed it to track devices and control their users' accounts.
On the app’s page on Google Play, iTrack advertises a free demo account with the username Demo and password 123456. ProTrack provides users with a free demo on their site. This week, when the editorial staff checked the demo, the site issued a warning about the need to change the password, because "the default password is too simple." A week ago this message was not yet. The ProTrack API documentation also indicates the default password is 123456.
Judging by the interface of both applications, they use the same base code.
L&M said that ProTrack this week contacted customers through the application and by mail, asking to change passwords, but so far has not forced to do so. ProTrack denies data leakage, but confirms that it suggested users to change passwords.
“Our system works very well, and changing a password is the normal way to maintain account security,” said a company spokesman. “In addition, why do you contact our customers and bother them?” Why did the hacker contact you? ”
ITrack did not respond to a request for comment.
L&M said it contacted companies relying on remuneration. In the screenshot where the answer from ProTrack was visible, the company representative asked the hacker to assign them a “low price”.
“If we pay, will you give us your tool and will not hack our account anymore?” How can we be sure of this? Sorry there are so many questions, but this is the first time we’ve encountered this nightmare. ”
The hacker declined to comment further on the company. But he said that he received what he wanted. “My attack warned them, and I consider this a success. Make them worry about security, ”L&M said. “Now they know that their users are at risk and are focusing on slightly increasing the security of their service.”