A hacker who hacked into a GPS tracking application found that he could remotely stop them

“I can create serious problems with traffic around the world,” he said.

The hacker hacked thousands of user accounts belonging to users of two applications for tracking via GPS, which enabled him to track the location of tens of thousands of cars and even turn off the motors of some of them right on the go.

The hacker, nicknamed L & M, told the Motherboard edition that he hacked more than 7,000 iTrack accounts and over 20,000 ProTrack records — applications that companies use to track and manage car parks using GPS. The hacker was able to track cars in several countries around the world, including South Africa, Morocco, India and the Philippines. In some vehicles, the software allows you to remotely turn off the engines, while the car must stand or move no faster than 20 km / h, depending on the manufacturer of certain GPS devices for tracking.

After conducting reverse engineering of Android applications for ProTrack and iTrack, L & M, he said, he realized that all customers receive the same default passwords, 123456, when registering.
')
And then the hacker was able to find "millions of user names" using the application API using the simple brute force method. He then wrote a script that tries to log into accounts using the usernames found and the default passwords.

This allowed him to automatically hack thousands of accounts using the default password and extract data from them.

According to a sample of user data that L & M shared with the Motherboard edition, the hacker actually collected a wealth of ProTrack and iTrack customer information, including: the name and model of the GPS beacon, unique IDs (known as IMEI), user names, their real names, phone numbers emails and home addresses. L & M said it was unable to extract all this information for each user; some information was received only partially.

The editors were able to confirm the reality of hacking by talking to four users from the L & M sample. The respondents confirmed the accuracy of the information provided by the hacker.

“I was targeting the company, not the customers. Customers are at risk from the company's actions, the L & M editorial staff said in a chat. “They need to earn money, and they don’t want to protect their customers.”


Screenshot using a hacked account of one of the users

L & M also stated that it can do much more than just track users' machines. “I can create serious traffic problems around the world,” he said. “I fully control hundreds of thousands of cars, and with one touch I can stop their engines.”

However, the hacker said that he had never shut down a single engine, since that would be too dangerous. And although the hacker did not prove his ability to turn off the engine, a representative of Concox, which manufactures one of the devices used by some ProTrack GPS and iTrack users, confirmed to the editors that customers can remotely turn off engines if the car travels slower than 20 km / h.

The application has the ability to "stop the engine", if you believe the screen shot provided by the hacker.



Rahim Lukman, the owner of the South African company Probotik Systems using ProTrack, told the editorial by phone that ProTrack can be used to stop the engines if the technician turns on this function when installing the GPS beacon. “And this makes the situation even more dangerous,” said Lukman about data leakage. “He really can make a mess with our customers and users.”

ProTrack is supported by iTryBrand Technology from Shenzhen (China). iTrack is supported by SEEWORLD from Guangzhou (China). Both companies sell tracking devices and cloud services to both individuals and software distributors. L & M stated that it had hacked accounts and some distributors, which allowed it to track devices and control the accounts of their users.

On the app 's Google Play page, iTrack advertises a free demo account with the user name Demo and password 123456. ProTrack provides users with a free demo on their website . This week, when the editors checked the demo, the site issued a warning about the need to change the password, because "the default password is too simple." A week ago, this message was not yet. The ProTrack API documentation also specifies the default password is 123456.

Judging by the interface of both applications, they use the same basic code.

L & M said that ProTrack this week turned to customers through the application and by mail, asking them to change their passwords, but does not force them to do so yet. ProTrack denies data leakage, but confirms it has suggested that users change passwords.

“Our system works very well, and changing the password is a normal way to maintain account security,” a company spokesman said. “Besides, why are you contacting our customers and bothering them?” Why did the hacker contact you? ”

From iTrack did not respond to a request for comment.

L & M said that he contacted companies, hoping for a reward. In the screenshot, where the answer from ProTrack was visible, a company representative asked the hacker to assign a “low price” to them.

“If we pay, will you give us your tool and you will no longer hack our account?” How can we be sure of this? Sorry to ask so many questions, but this is the first time we are faced with this nightmare. ”

Hacker declined to comment further on communication with the company. But he said that he got what he wanted. “My attack warned them, and I consider this a success. Get them to worry about security, said L & M. “Now they know that their users are at risk and are concentrating on improving the security of their service a little.”