Kromtech security research center recently found more than 500,000 records belonging to SVR tracking, a company that specializes in tracking and recovering stolen vehicles. The company that published the password leak provides customers with trackers that they hide in their vehicles, hoping they would help in case of theft.
The SVR tracking devices are supposed to help auto dealers or other customers “locate and recover their vehicles with live, real-time tracking, and provide stop verification, enabling them to determine potential locations for their vehicles.” SVR Tracking added, “Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”
The records were found online in a wide-open, public facing, and misconfigured Amazon Web Server (AWS) S3 cloud storage bucket. The information has been exposed for an unknown period.
The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices, and other collected data on customers and the 427 auto dealerships that use the tracking services.
After Kromtech notified SVR Tracking about the password leak, the bucket was secured, but otherwise the company didn’t respond to Kromtech. There is a security incident notification on the company’s site. It reads:
While SVR is not in a position to confirm the accuracy of everything reported by others, Kromtech contacted SVR on September 20, at which point we immediately began our own investigation into an incident concerning one of our data repositories. Within 3 hours, SVR fixed the repository configuration vulnerability Kromtech identified. SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers.
Back in July, Amazon sent emails to customers with public facing S3 buckets, warning them:
By default, S3 bucket ACLs allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available
Make sure your AWS S3 bucket is configured correctly before uploading any sensitive or personal data.