A new data leak made it possible to see the location of more than half a million vehicles with satellite locator in the US
The Kromtech Security Center discovered a few days ago that anyone could access the automotive monitoring platform of ‘SVR Tracking’, which is dedicated to vehicle recovery, and thus see live the location of more than half a million users who decided to hire this service for reasons of “security”.
SVR Tracking offers tracking services to vehicles through a device placed in a “secret location” that is not accessible to the driver. With this, the company provides its customers continuous monitoring 24 hours a day, 365 days a year.
In order for the user to track the location of the registered vehicle, a user number and password (which can not be modified) are provided to access the platform via the web or mobile application for smartphones. Also, this system allows access to the history of locations and routes of the vehicle of the last 120 days.
As of September 18, Kromtech found 540,642 login credentials for the SVR Tracking platform. These credentials were on an unprotected Amazon S3 server, so it was impossible to know how long they had been there. In fact, it was not possible to know who was responsible for keeping them, but was free for anyone to access and use them.
These credentials included not only username and password, since in most cases there was an e-mail, car registration and registered address and up to the vehicle identification number (VIN). Many of these accounts were business customers with several registered vehicles, so it was possible to see in real time the whole operation of a company. Obviously we need not mention the value of this information in the wrong hands.
The warning to SVR Tracking arrived on September 20 and within a few hours the server was already blocked. So far, SVR Tracking has not come out to mention anything regarding this violation, nor a clarification or public notice to its customers.