With the evolution of technology, computers are not limited to your desktop only. You carry it everywhere with you in the form of a smartphone, even sometimes your vehicles are controlled by your smartphone. But do you think there is enough security to protect unwanted intervention in your privacy?
According to Motherboard reporter Lorenzo Franceschi-Bicchierai, a hacker claims he managed to break into accounts belonging to users of GPS tracker apps, allowing him to monitor the locations of tens of thousands of vehicles, and even granting the ability to turn off the engine of some of them as they were moving.
The hacker, who is only known by the handle “L&M”, says that he hacked into over 20,000 accounts belonging to users of the Protrack GPS app and more than 7,000 iTrack app accounts. L&M examined the source code of the Android versions of the apps, which allow companies to track their vehicle fleets in real-time, and was shocked to discover that all customers are given a default password upon sign-up.
What default password are they given?
It is the grief to say that generally, the default password for the apps is “123456”. Possibly the worst password in the world. Just this week, the UK’s National Cyber Security Centre (NCSC) declared in an advisory about the need for unique, strong passwords that “123456” topped its list of the most commonly used passwords, having been found over 20 million times in data breaches.
L&M says he was able to use that information to send millions of possible usernames through the apps’ API to see if they would be able to log in with the weak default password.
Through this method, the hacker was able to scrape information from ProTrack and iTrack customer accounts, including details of the GPS tracking devices they were using, their unique IMEI identification numbers, as well as the names, phone numbers, email addresses, and physical addresses of users.
But the risks didn’t just stop at the data breach and the monitoring of vehicle locations. The hacker also claimed he would have been able to turn off the engine of some vehicles when traveling at slow speed (under 20km per hour).
L&M claimed that it can absolutely make a big traffic problem all over the world. According to him, he has fully [sic] control hundreds of thousands of vehicles, and by one touch, he can stop these vehicles engines.”
The two apps, both apparently developed in China, appear to have the same underlying code – which explains why they both suffer from the same catastrophic flaw of using a particularly disastrous default password.
Organizations need to step in and play their significant role to avoid security vulnerability before putting their customers in peril. As more and more businesses race to create internet-connected devices and build cloud-based systems for users to manage their technology it is essential that steps are taken to ensure that security and privacy are treated as a priority.
Source: Security Boulevard