Password leak of 1/2 million cars from tracking system

Kromtech security research center recently found more than 500,000 records belonging to SVR tracking, a company that specializes in tracking and recovering stolen vehicles. The company that published the password leak provides customers with trackers that they hide in their vehicles, hoping they would help in case of theft.

The SVR tracking devices are supposed to help auto dealers or other customers “locate and recover their vehicles with live, real-time tracking, and provide stop verification, enabling them to determine potential locations for their vehicles.” SVR Tracking added, “Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”

Want to stay up to date with security news? Please subscribe to our NEW LinkedIN group , Like our Facebook page, or join our FREE Newsletter… Or do all! It’s free and you will always be informed.

The records were found online in a wide-open, public facing, and misconfigured Amazon Web Server (AWS) S3 cloud storage bucket. The information has been exposed for an unknown period.

The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices, and other collected data on customers and the 427 auto dealerships that use the tracking services.

After Kromtech notified SVR Tracking about the password leak, the bucket was secured, but otherwise the company didn’t respond to Kromtech. There is a security incident notification on the company’s site. It reads:

While SVR is not in a position to confirm the accuracy of everything reported by others, Kromtech contacted SVR on September 20, at which point we immediately began our own investigation into an incident concerning one of our data repositories. Within 3 hours, SVR fixed the repository configuration vulnerability Kromtech identified. SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers.

Back in July, Amazon sent emails to customers with public facing S3 buckets, warning them:

By default, S3 bucket ACLs allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available

Make sure your AWS S3 bucket is configured correctly before uploading any sensitive or personal data.

Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

Leave a Reply

%d bloggers like this: