GPS Tracking App Breach Allows Hacker to Monitor Cars, Kill Their Engines: Report

A hacker reportedly broke into two GPS tracking apps, giving him ability to monitor the real-time location of thousands of cars across multiple countries and even turning off the engines of some while they are on the road. According to an online report, the hacker was able to track vehicles, managed by iTrack and ProTrack apps, in several countries around the world, including India, Morocco, Philippines, and South Africa. While ProTrack seems to have plugged the vulnerability, there is no word on whether iTrack has done anything to make its service secure.

According to a report in Motherboard, the hacker, who goes by name L&M, told the publication that he was able to hack into over 7,000 iTrack accounts and 20,000 ProTrack accounts. Both iTrack and ProTrack apps are used by companies around the world to monitor and manage their fleets of automobiles with GPS tracking devices. The hacker claims to have exploited a very basic vulnerability in the GPS tracking apps. The apps reportedly assign a default password “123456” to all their customers. By brute-forcing millions of usernames with the default password, L&M hacked his way into thousands of accounts that were still using the default password.

Access to these accounts provided L&M with not only the real-time location of the attached vehicles, but also the names and models of the GPS tracking devices, real names of users, phone numbers, email addresses, device IMEI numbers, and physical addresses. Not all accounts said to have included all the data. Motherboard claims to have confirmed the breach by verifying a sample of the hacked data provided by the hacker and contacting four of the impacted users.

While the breach of private data and real-time location of vehicles is a massive privacy and security issue for the impacted consumers, the hacker also claimed to have the ability to shut down the engines of some vehicles, making the hack a safety nightmare. Although L&M didn't prove the ability by shutting down the engine of a vehicle, Motherboard was able to confirm the existence of the feature by the maker of one of GPS tracking devices supported by the hacked apps. Concox, a company that makes GPS tracking hardware, told the publication that the customers can turn off the engines of the vehicles remotely if the vehicles are going under 20km per hour. The hacked GPS apps include an option called “Stop Engine” which makes use of the functionality provided the GPS hardware. The same option can also be seen in the Web version of the service by using the demo account and Gadgets 360 was able to verify the same. The option is most likely present to stop the vehicles in the case of a theft.

The iTrack app is developed by SeeWorld Technology Corp.Ltd., which is based in Guangzhou, China, whereas ProTrack has been made by Shenzhen iTrybrand Technology Co. Ltd., which is based in Shenzhen, China. Both the apps seem to share the same codebase and even the UI of their apps and Web version is very similar.

Motherboard notes that after the hacker reached out to app developers, ProTrack has contacted customers via app and email to change their password. The company is however no doing force resets at this point. The company denied the data breach to the publication.

“Our system is working very well and change password is normal way for account security like other systems, any problem?” a company representative told Motherboard.

Protrack no longer seems to be allowing the customers to keep “123456” as the password, thereby plugging the vulnerability, which we verified by signing up for a demo account. This still leaves the existing customers with default passwords vulnerable. There is no word on whether iTrack has made a similar change and the company's demo account still accepts “123456” as the password.