Kromtech Security Center has discovered data connected to the vehicle recovery device and monitoring company SVR Tracking. SVR Tracking is used by automotive dealers to track the location of vehicles and for reposessing cars. The data was not protected in an Amazon S3 (Simple Storage) Buckets are cloud storage areas.
Researchers discovered a misconfigured Amazon AWS S3 bucket that was left publically available. The breach exposes information about their customers and re-seller network and also the physical device that is attached to the cars.
Lrometech found that the data contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.
The “SVR” stands for ‘stolen vehicle records”.
A Backup Folder called “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. Including 116 GB of Hourly Backups, 8.5 GB of Daily Backups from 2017, 339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records. Document with information on the 427 dealerships that use their tracking information.
The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking.
The software monitors everywhere the car has been back as far as 120 days, including a terrifying feature that pinpoints on the map all of the places a driver has visited. There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been. There is a “recovery mode” that can pinpoint every 2 min or create zone notifications. They claim to have a 99% success rate on recovery but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?
The software can be accessed from any internet connected device like a desktop, laptop, mobile phone or tablet. The tracking unit is located by satellite and sends the information to their servers via the GPRS Data Network. In the age where crime and technology go hand in hand, Imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publically available online and steal that car?
Shortly after sending responsible disclosure note, the bucket has been secured, however, no words from the company.