The vehicle tracking device company SVR Tracking leaked login credentials of more than half a million records online. This leak has exposed the vehicle details and personal data of the drivers and businesses which were using SVR service.
Verizon data was leaked online just a few hours before and a similar kind of leak occurred with the entertainment giant Viacom. The reason for both of them was same that was an unsecured Amazon S3 server.
Experts at Kromtech Security Center discovered an unsecured Amazon Web Server (AWS) S3 cloud storage bucket containing SVR tracking data that was accessible publicly for an unknown period. SVR Tracking service uses a physical tracking device that is hidden in the vehicles which can track customers in real time. The customers can also monitor and recover their Vehicles in case if they get stolen.
The leak revealed about 540,000 SVR accounts, emails, addresses, and passwords. The leaked cache also contained the customers’ vehicle data such as Vehicle Identification Number (VIN) and IMEI numbers of GPS devices. The exposed data also includes the information about the place where the tracking device was hidden in the car.
The blog post published by Kromtech reads, “The repository contained over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, the exposed database also contained information where exactly in the car the tracking unit was hidden.”
The leaked passwords were stored in a 20-years-old weak cryptographic hash algorithm called SHA-1. This was used by US National Security Agency (NSA) and it now can be cracked effortlessly. Moreover, 339 logs containing photographs and data about vehicle status and maintenance records and information on the 427 dealerships using SVR’s tracking services were also leaked.
The complete number of devices exposed according to Kromtech “could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking.”
Since this tracking service watches a vehicle everywhere so anyone who has access to SVR users’ login credentials could both track the vehicle and could log every location that the vehicle visits just by using an internet connected device such as a tablet, mobile, laptop or desktop.
Such vulnerabilities clear that an attacker can steal the car as well as he can rob a home as soon as he knows that the car owner is out.
Kromtech responsibly warned the company of the misconfigured AWS S3 cloud storage bucket that immediately saved it from harm. Yet it is not confirmed that the publically accessible data was exploited by hackers or not.