Auto Location Tracking Company Leaves Customer Data Exposed Online
from the stop-doing-that dept
What is it about companies (or their contractors) leaving consumer data publicly exposed on an Amazon cloud server? Verizon recently made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million citizens (read: most of you) similarly just sitting on an Amazon server without protection. Time Warner Cable also recently left 4 million user records sitting in an openly-accessible Amazon bucket.
This sort of incompetence shows no sign of slowing down. Not to be outdone, The Kromtech Security Center recently found over half a million records belonging to SVR Tracking, a company that helps track your car's location for its “vehicle recovery" service, left sitting online without adequate security. You guessed it: the company apparently also thought it would be a good idea to leave this data sitting on an Amazon server openly accessible via the internet:
"Kromtech discovered SVR’s data in a publicly accessible Amazon S3 bucket. It contained information on roughly 540,000 SVR accounts, including email addresses and passwords, as well as some license plates and vehicle identification numbers (VIN). There were half a million records overall, Kromtech said, “but in some cases credentials were given for a record with several vehicles associated with it.”
In this case, Kromtech notes that SVR tracking did at least store the data using a cryptographic hash function (SHA-1), albeit one that’s 20 years old and with easily-exploitable weaknesses. And while there certainly have been much larger security breaches in recent months, this one is notable for its high creep factor. SVR advertises that its technology provides “continuous vehicle tracking, every two minutes when moving” and a “four hour heartbeat when stopped.” That means that a hacker that had gained access to the login data would be able to track everywhere a customer's car has been in the past 120 days.
In addition to SVR account information, the exposed data also included documents and images related to vehicle maintenance records, as well as contract details with the roughly 400 or so dealerships that have business relationships with SVR. Fortunately SVR secured the data two days after Kromtech notified them of it, but refuses to clarify the scope of the breach to either Kromtech or the press. Kromtech notes that the data exposed could be significantly larger than initial reports indicate:
"The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking. In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?”
Of course this new trend of just leaving customer data sitting openly on the Amazon cloud is running hand in hand with the abysmal security already inherent in embedded car infotainment and navigation systems, problems we might want to more seriously contemplate before we automate the entire country's transportation and delivery systems.
Filed Under: auto tracking, data breach
Companies: kromtech security center, svr tracking
