In yet another case of an accidental data breach, login credentials of over 540,000 records belonging to vehicle tracking device company SVR Tracking service have leaked online due to a misconfigured cloud server, potentially exposing the personal data and vehicle details of drivers and businesses using its service.
SVR (Stolen Vehicle Records) Tracking, a firm that claims to specialize in “vehicle recovery” allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so they can monitor and recover them in case their vehicles are stolen.
According to researchers at Kromtech Security Center, who first discovered the breach, the data exposed included SVR users’ account credentials, including email ids, passwords, vehicle data (like VIN numbers and licence plates), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. The data was exposed via an insecure Amazon Web Server (AWS) S3 cloud storage bucket that was left publically available.
Interestingly, the exposed database also contained information where exactly in the car the tracking unit was hidden. Researchers highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.
According to Kromtech, the total number of devices exposed “could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking.”
“In the age where crime and technology go hand in hand, imagine the potential danger if cybercriminals could find out where a car is by logging in with the credentials that were publically available online and steal that car? The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking,” Kromtech researcher Bob Diachenko said in a blog.
The Amazon S3 bucket has been secured after Kromtech reached out to SVR and alerted them about the breach. However, it still remains unclear as to how long the data remained freely exposed. It is also uncertain whether the publicly accessible data was possibly accessed by hackers or not.