A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion, Motherboard has learned.
The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.
By reverse engineering ProTrack and iTrack’s Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up.
At that point, the hacker said he brute-forced “millions of usernames” via the apps’ API. Then, he said he wrote a script to attempt to login using those usernames and the default password.
This allowed him to automatically break into thousands of accounts that were using the default password and extract data from them.
According to a sample of user data L&M shared with Motherboard, the hacker has scraped a treasure trove of information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices’ unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses. (According to L&M, he was not able to get all of this information for all users; for some users he was only able to get some of the above information.)
Motherboard was able to confirm the data breach by speaking to four users included in the sample L&M shared with Motherboard, who confirmed that the data provided by the hacker was legitimate.
“My target was the company, not the customers. Customers are at risk because of the company,” L&M told Motherboard in an online chat. “They need to make money, and don’t want to secure their customers.”
L&M also claimed to be able to do much more than just monitor customers’ vehicles.
“I can absolutely make a big traffic problem all over the world,” L&M said. “I have fully [sic] control hundred of thousands of vehicles, and by one touch, I can stop these vehicles engines.”
Nevertheless, the hacker said he never killed any car’s engine, as that would be too dangerous. Though the hacker didn’t prove that he was able to turn off a car’s engine, a representative for Concox, the makers of one of the hardware GPS tracking devicesused by some of the users of ProTrack GPS and iTrack, confirmed to Motherboard that customers can turn off the engines remotely if the vehicles are going under 20 kilometers per hour (around 12 miles per hour.)
The apps have a feature to “stop engine,” according to a screenshot provided by the hacker.
Rahim Luqmaan, the owner of Probotik Systems, a South African company that uses ProTrack, said in a phone call with Motherboard that it’s possible to use ProTrack to stop engines if a technician enables that function when installing the tracking devices.
“That makes it more dangerous,” Luqmaan said about the data breach. “He can actually mess around with […] our clients and customers.”
ProTrack is made by iTryBrand Technology, a company based in Shenzhen, China. iTrack is made by SEEWORLD, a company based in Guangzhou, China. Both iTryBrand and SEEWORLD sell hardware tracking devices and the cloud platforms to manage them directly to users, and to companies that then distribute the hardware and services to users. L&M claimed to have broken into the accounts of some distributors too, which allows him to monitor the vehicles and control the accounts of their customers.
On its Google Play app page, iTrack advertises a free demo account with the username “Demo,” and the password “123456.” ProTrack provides potential customers with a free demo on its website. This week, when Motherboard tried the demo, the site displayed a prompt to change password because “the default password is too simple.” Last week, when Motherboard first tried the demo, this message did not appear. ProTrack’s API, moreover, also mentions the default password of “123456” in its documentation.
Judging from the user interface of both apps, it appears ProTrack and iTrack share the same underlying code……Read more>>