Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy

Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps (vice.com) 56

Reader eatmorekix writes: A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion, Motherboard has learned. The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.

By reverse engineering ProTrack and iTrack's Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up. At that point, the hacker said he brute-forced 'millions of usernames' via the apps' API. Then, he said he wrote a script to attempt to login using those usernames and the default password. This allowed him to automatically break into thousands of accounts that were using the default password and extract data from them.

This discussion has been archived. No new comments can be posted.

Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps

Comments Filter:
  • by DickBreath ( 207180 ) on Wednesday April 24, 2019 @12:33PM (#58484046) Homepage
    > L&M said he realized that all customers are given a default password of 123456 when they sign up.

    We know that only an idiot would use 12345 as a password, or luggage combination.

    Good thing they used 123456 instead.
    • idiots! You need at least eight characters to be secure. That's why I use 12345678 as my password. ;)

    • by Tablizer ( 95088 )

      Those who don't watch Spaceballs are doomed to repeat Spaceballs.

      • Those who don't watch Spaceballs are doomed to repeat Spaceballs.

        Those who do watch Spaceballs are just doomed.... or, well... just anything with John Candy in it... (grin)

        • by Tablizer ( 95088 )

          At least we go out laughing.

          • As the Minbari, the Narn and the Vorlon got up to leave, Luke Skywalker stood up, raised his hand, parted his fingers in the shape of a V and said "Live long and prosper!"
  • And you've got yourself a killer app.

  • Default Passwords? (Score:5, Insightful)

    by Archangel Michael ( 180766 ) on Wednesday April 24, 2019 @12:41PM (#58484112) Journal

    Okay, I'm mystified as to why default passwords are even used any more. There should be never any reason to have a generic default password these days. Even when setting up accounts, the very first thing ought to be "Change your Password" and prevent anyone from completing signups without at least setting up a new password.

    Systems found having default passwords should be named and shamed forever.

    • The reason to use default passwords: Because potential user names are easier to guess.

      If you had to try guessing passwords and username combinations, you would have less satisfying chances of success.

      Another reason to use default passwords: Because if you issued each customer a unique password, you would have to keep track of it. (even though you already keep customer records) And some fraction of customers would lose it, or have to call in to find out what their password is. (although however yo
  • by xack ( 5304745 ) on Wednesday April 24, 2019 @12:43PM (#58484124)
    This could cause an incident that kills thousands of people. Security issues like this need to be closed as a measure of international security. Terrorists could use this at any time.
    • Re: (Score:2, Insightful)

      by DickBreath ( 207180 )
      > Terrorists could use this at any time.

      The NSA could use this at any time.

      China could use this at any time.
  • They'll never guess that one!

  • Stuff like this is to stupid to allow in any phase of design.

    Could someone please write some simple instructions on how to secure Internet connected THINGS?

  • by bob4u2c ( 73467 ) on Wednesday April 24, 2019 @12:55PM (#58484234)

    On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.

    Sounds a lot like what Dealerships do for risky car buyers https://www.cbsnews.com/news/car-repossession-device-starter-interrupter-auto-dealer-car-credit-city/ [cbsnews.com]

    I had one on the last new car I bought (in cash), when I got home and noticed it I called the dealership and demanded they remove it. They first tried to assure me it was disabled and wouldn't cause any harm. I responded by saying it will cause less harm if its sitting on your desk instead of in my car. They finally agreed to remove it, and after 2 attempts with excuses like the mechanic that does that isn't in today, I finally said fine, I'll take it to a shop of my choosing and have them remove it. Then I guess I submit the bill to you? Oddly the guy that removes that stuff suddenly showed up to work 30 minutes later.

    Most of these don't usually shut the engine off, they just prevent the car from being started after you turn the engine off, safer that way. The whole GPS thing is so they can send a tow truck to get back the car if you miss a payment.

    My other car is almost 50 years old and I can draw the ignition and starter circuit for you on the back of a napkin; so good luck sneaking one of those in the mix. I can even point out the exact wires and what they do. If I ever had to hotwire my car I could do it with a few alligator clips in under 30seconds. But I'm not worried about anyone stealing it, nobody wants to drive a 50 year old stick shift car now a days, except me.

  • by grumpy-cowboy ( 4342983 ) on Wednesday April 24, 2019 @01:06PM (#58484282)

    Connecting cars to a network is the most stupid idea ever made! Anything connected to a network is hackable. ANYTHING! This is why when I buy a new car, I choose the dumbest version: no "Android/Apple Car", no automated assistance crap (doesn't work in winter here anyway), ...

    • by sinij ( 911942 )
      What is your next new car going to be?
      • Now I have a GMC Sierra (only 3 years old). The most basic version you can think off. Yes I know about OnStar shit. If someone knows how to disable it completely, I'll do it right now!

        I didn't plan to have a new car soon but this is at the top of my "features" list: nothing or near nothing connected to a remote network.

        • by kackle ( 910159 )
          There's got to be an antenna connector somewhere - unscrew its antenna and cover the antenna jack with foil. That should be 99% effective.

          On another note, does anyone know whether manufacturers pay for that cellular service on transceiver units not activated by the vehicle owner? I can't imagine that would be cheap, even in volume.
  • If war ever breaks out among developed countries, funny sh&t is gonna happen. I'm sure all the big military powers store up databases of monkey wrenches to throw into infrastructures. We already know the software that runs society is chalk full of holes.

  • ..and THIS is why all motor vehicles should have a hardware switch that totally disables all radio transceivers in the vehicle, preventing outside influence like in this story.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...