Login credentials of to a greater extent than than one-half a 1000000 records belonging to vehicle tracking device companionship SVR Tracking accept leaked online, potentially exposing the personal information too vehicle details of drivers too businesses using its service.
Just 2 days ago, Viacom was flora exposing the keys to its kingdom on an unsecured Amazon S3 server, too this information breach is even too therefore unopen to other instance of storing sensitive information on a misconfigured cloud server.
The Kromtech Security Center was start to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period.
Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to rails their vehicles inward existent fourth dimension yesteryear attaching a physical tracking device to vehicles inward a discreet location, too therefore their customers tin monitor too recover them inward instance their vehicles are stolen.
The leaked cache contained details of roughly 540,000 SVR accounts, including e-mail addresses too passwords, every bit good every bit users' vehicle data, similar VIN (vehicle identification number), IMEI numbers of GPS devices.
Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash business office that was designed yesteryear the U.S.A. National Security Agency (NSA), which tin hold upwardly cracked alongside ease.
The leaked database likewise exposed 339 logs that contained photographs too information well-nigh vehicle condition too maintenance records, along alongside a document alongside information on the 427 dealerships that role SVR's tracking services.
Interestingly, the exposed database likewise contained information where just inward the auto the physical tracking unit of measurement was hidden.
According to Kromtech, the full disclose of devices exposed "could hold upwardly much larger given the fact that many of the resellers or clients had large numbers of devices for tracking."
Since SVR's auto tracking device monitors a vehicle everywhere for the yesteryear 120 days, anyone alongside access to SVR users' login credentials could both rails a vehicle inward existent fourth dimension too exercise a detailed log of every place the vehicle has visited using whatever mesh connected device similar a desktop, laptop, Galvanic cell or tablet.
Eventually, the aggressor could outright pocket the vehicle or fifty-fifty rob a dwelling when they know a car's possessor is out.
Kromtech responsible alerted the companionship of the misconfigured AWS S3 cloud storage bucket, which has since been secured. However, It is unclear whether the publically accessible information was peradventure accessed yesteryear hackers or not.
Share This :
comment 0 Comments
more_vert