Itrack and Protrack are commercial devices for tracking fleets of commercial vehicles; they can be configured to allow for remote killswitching of the cars’ engines, presumably as a theft-prevention measure.
A hacker going by L&M used the fact that the Android apps for interacting with Itrack and Protrack have the same default password (“123456”) that users are not forced to change to take control of thousands of cars equipped with the devices. L&M used a credential stuffing attack: using email addresses gleaned from massive breaches to gain access by repeatedly trying different email/password combinations.
Once penetrated, the apps yield up great quantities of information on the compromised users and their vehicles: “name and model of the GPS tracking devices they use, the devices’ unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses.”
L&M was able to track the compromised vehicles in realtime, and they say they can also immobilize many of them (“I can absolutely make a big traffic problem all over the world. I have fully [sic] control hundred of thousands of vehicles, and by one touch, I can stop these vehicles engines.”)
The vulnerabilities reflect a lackadasical approach to security that we see across multiple industries: not only do the companies allow users to initialize their products without changing the default password, they compound this error by not detecting and preventing credential stuffing attacks. This negligence puts their users’ property — and lives — at risk.
Both Itrack and Protrack are now asking their users to change their default passwords. Protrack denies that they have suffered a breach.
Nevertheless, the hacker said he never killed any car’s engine, as that would be too dangerous. Though the hacker didn’t prove that he was able to turn off a car’s engine, a representative for Concox, the makers of one of the hardware GPS tracking devices used by some of the users of ProTrack GPS and iTrack, confirmed to Motherboard that customers can turn off the engines remotely if the vehicles are going under 20 kilometers per hour (around 12 miles per hour.)
The apps have a feature to “stop engine,” according to a screenshot provided by the hacker.
Rahim Luqmaan, the owner of Probotik Systems, a South African company that uses ProTrack, said in a phone call with Motherboard that it’s possible to use ProTrack to stop engines if a technician enables that function when installing the tracking devices.
“That makes it more dangerous,” Luqmaan said about the data breach. “He can actually mess around with […] our clients and customers.”
Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps [Lorenzo Franceschi-Bicchierai/Motherboard]
Researchers from KU Leuven have published a paper showing how they can create a 40cm x 40cm “patch” that fools a convoluted neural network classifier that is otherwise a good tool for identifying humans into thinking that a person is not a person — something that could be used to defeat AI-based security camera systems. […]
Rudy Giuliani: “nothing wrong with taking information from Russians.”
40 years ago, antitrust law put strict limits on mergers and acquisitions, but since the Reagan era, these firewalls have been dismantled, and now the biggest companies grow primarily by snapping up nascent competitors and merging with rivals; Google is a poster-child for this, having only ever created two successful products in-house (search and Gmail), […]
Happy DNA Day! April 25 is a day to recognize deoxyribonucleic acid – better known as the molecule that holds the code to our entire genetic makeup. What better way to celebrate than with a complete ancestry test that’s about more than just satisfying idle curiosity about your family tree? The lab techs at Vitagene use […]
For musicians, clubgoers or anyone in the thick of a loud environment, earplugs aren’t just an option. If you plan on keeping your hearing through sustained exposure to levels over 85 decibels (roughly the sound of a blender), they’re a must. The good news is, most earplugs will muffle the sound. The bad news is, […]
Seasoned chefs have a bit of a love-hate relationship with their cutlery. A really good set of knives has to prove its worth by being put through the wringer – and if they’re really good, they’ll still look great afterward. So it is with the Damasukasu Japanese 3-Piece Master Chef Hanshu Knife Set. Sitting in […]