A hacker broke into ProTrack and iTrack vehicle-tracking GPS services to extort “reward” money and reveal the systems’ vulnerabilities.
A hacker with the username “L&M” has infiltrated two GPS vehicle-tracking services, ProTrack and iTrack, gaining access to more than 27,000 accounts in South Africa, Morocco, India, the Philippines, and other countries. L&M could see customer details such as names, home addresses, phone numbers, usernames, and email addresses. He was able to monitor the locations and movements of vehicles. The most serious discovery was that with certain vehicles the hacker had the power to kill the engine remotely.
L&M explained to tech news site Motherboard that his first step in hacking the systems was to reverse-engineer the ProTrack and iTrack Android apps. Doing so, L&M discovered that all customers were assigned the same default password — 123456. The hacker then took advantage of the apps’ APIs to brute-force millions of usernames. Finally, the hacker logged in using the stolen usernames and default passwords. L&M successfully hacked more than 20,000 ProTrack accounts and more than 7,000 iTrack accounts. For certain accounts, if the vehicle was traveling less than 13 mph, L&M had the option to remotely shut down the engine.
The hacker reports that they did not, in fact, kill anyone’s engine, stating to Motherboard, “My target was the company, not the customers. Customers are at risk because of the company.” L&M said that they contacted both companies for “reward” money, adding that they ultimately got what they wanted.
ProTrack and iTrack, both based in China, sell cloud-based tracking services. While iTrack has not commented on the breach, ProTrack denied it even occurred and issued this statement to Motherboard: “Our system is working very well and change password is normal way for account security like other systems.”
“Technology is amazing and can improve our lives and businesses,” notes Avast security evangelist Luis Corrons. “But as we always say, it is vital to add security to the design of any and every system. This breach is the best example of what should never be done — the same default password for all users and no 2-factor authentication.”