Kromtech Security Center researchers were first to detect a login data leak tied to SVR Tracking, a US vehicle tracking device company which specializes in 24 hours cars and trucks tracking in case they are stolen or impounded.
More than 500,000 records containing emails, password hashes, VINs (vehicle identification numbers), license plates and IMEI’s numbers were discovered in a misconfigured Amazon AWS S3 bucket that was left publically available. Apart from this, the reseachers have found 339 log files related to vehicle status and maintenance trace record data as well as other documents providing a detailed info on devices, customers, and more than 400 auto dealerships the company cooperates with.
According to SVR tracking website, the service ensures a continuous vehicle monitoring every 2 min when in motion and every four hours in standing mode. Most alarming is that someone who gained access to an account’s password can easily monitor a vehicle in real time and build a detailed log of every location it has visited for the last 120 days. This means, intruders could steal cars, watch for a driver, or rob a home knowing for sure that a car’s owner is out and about.
All the data found was left in a backup folder called “accounts”. As the researchers claim, the leak was detected on 18 Sep 2017 and blocked two days later within several hours. Though, no one knows for sure the actual time and the total number taking into account that clients and resellers also had quite a lot of tracking devices.
This is not the first incident caused by a misconfigured cloud storage. Quite recently Chris Vickery, UpGuard security researcher, have stumbled upon 1 GB of Verizon customers sensitive data that was publicly accessible. Automotive experts also raise concerns about potential OBDII port threats.
Amazon realizes the scale of the problem and is certainly trying to do something about it. The company claimed to start scanning its S3 cloud storage service for the “buckets”. What stays unclear is whether hackers have access to leak data or not.