Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps

Reader eatmorekix writes: A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion, Motherboard has learned. The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines. On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.

By reverse engineering ProTrack and iTrack's Android apps, L&M said he realized that all customers are given a default password of 123456 when they sign up. At that point, the hacker said he brute-forced 'millions of usernames' via the apps' API. Then, he said he wrote a script to attempt to login using those usernames and the default password. This allowed him to automatically break into thousands of accounts that were using the default password and extract data from them.

Re:

[cayenne8]

123456 ???

Hey, that's the combination to my luggage!!!

Re:

[DickBreath]

> The default password fiasco is just the icing on top.

Any default password is icing on top for remote threats.

Password 123456

[DickBreath]

> L&M said he realized that all customers are given a default password of 123456 when they sign up.

We know that only an idiot would use 12345 as a password, or luggage combination.

Good thing they used 123456 instead.

Re:

[Gravis Zero]

idiots! You need at least eight characters to be secure. That's why I use 12345678 as my password. ;)

Re:

[Tablizer]

Those who don't watch Spaceballs are doomed to repeat Spaceballs.

Re:

[David_Hart]

Those who don't watch Spaceballs are doomed to repeat Spaceballs.

Those who do watch Spaceballs are just doomed.... or, well... just anything with John Candy in it... (grin)

Re:

[Tablizer]

At least we go out laughing.

Re:

[DickBreath]

As the Minbari, the Narn and the Vorlon got up to leave, Luke Skywalker stood up, raised his hand, parted his fingers in the shape of a V and said "Live long and prosper!"

Make it work on police cars.

[WolfgangVL]

And you've got yourself a killer app.

Re:

[Joe_Dragon]

What about ARMY ones

Re: Make it work on police cars.

[Zero__Kelvin]

You mean of course an app that can stop killers.

Default Passwords?

[Archangel Michael]

Okay, I'm mystified as to why default passwords are even used any more. There should be never any reason to have a generic default password these days. Even when setting up accounts, the very first thing ought to be "Change your Password" and prevent anyone from completing signups without at least setting up a new password.

Systems found having default passwords should be named and shamed forever.

Re:

[DickBreath]

The reason to use default passwords: Because potential user names are easier to guess.

If you had to try guessing passwords and username combinations, you would have less satisfying chances of success.

Another reason to use default passwords: Because if you issued each customer a unique password, you would have to keep track of it. (even though you already keep customer records) And some fraction of customers would lose it, or have to call in to find out what their password is. (although however yo

Re:

[Archangel Michael]

Here you're seemingly advocating for cost savings over real security

cost saving at the expense of any real security.

Here you are advocating for better security

Until companies bear legal liability for bad security

This, in a nutshell, is the problem. You seemingly want it both ways.

The ability to cause mass crashes

[xack]

This could cause an incident that kills thousands of people. Security issues like this need to be closed as a measure of international security. Terrorists could use this at any time.

Re:

[DickBreath]

> Terrorists could use this at any time.

The NSA could use this at any time.

China could use this at any time.

Re:

[DickBreath]

> dealer that had a "buy here, pay here" model,

If they dealer killed their engine, they how are they supposed to get to the dealership to make a payment?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sinij]

They don't really want them to make all payments, as they make more money that way.

Here is how it works - they sell a cheap used car purchased at the auction at a huge markup to subprime buyers. These buyers make few payment then default on the loan. The car is repossessed, exorbitant penalty and repossession fees applied, and then the car goes back to the auction, often to be picked up back by the same dealer. The outstanding amount that now includes all fees, extras and delta between sale and action pric

Ha my password is 654321

[WillAffleckUW]

They'll never guess that one!

Re:

[kackle]

You IDIOT! You just told us what it is!

Re:

[WillAffleckUW]

Oh.

Hacker? or any script kiddy or goverment agency

[bobstreo]

Stuff like this is to stupid to allow in any phase of design.

Could someone please write some simple instructions on how to secure Internet connected THINGS?

Sounds like Dealerships.

[bob4u2c]

On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices.

Sounds a lot like what Dealerships do for risky car buyers https://www.cbsnews.com/news/car-repossession-device-starter-interrupter-auto-dealer-car-credit-city/ [cbsnews.com]

I had one on the last new car I bought (in cash), when I got home and noticed it I called the dealership and demanded they remove it. They first tried to assure me it was disabled and wouldn't cause any harm. I responded by saying it will cause less harm if its sitting on your desk instead of in my car. They finally agreed to remove it, and after 2 attempts with excuses like the mechanic that does that isn't in today, I finally said fine, I'll take it to a shop of my choosing and have them remove it. Then I guess I submit the bill to you? Oddly the guy that removes that stuff suddenly showed up to work 30 minutes later.

Most of these don't usually shut the engine off, they just prevent the car from being started after you turn the engine off, safer that way. The whole GPS thing is so they can send a tow truck to get back the car if you miss a payment.

My other car is almost 50 years old and I can draw the ignition and starter circuit for you on the back of a napkin; so good luck sneaking one of those in the mix. I can even point out the exact wires and what they do. If I ever had to hotwire my car I could do it with a few alligator clips in under 30seconds. But I'm not worried about anyone stealing it, nobody wants to drive a 50 year old stick shift car now a days, except me.

Re:

[CohibaVancouver]

I am trying to imagine any car from 1969 with four on the floor that wouldn't be an awesome car to drive.

The independent rear suspension on my 1970 Datsun 510 (four on the floor) made it fun to drive, but its 1.6 liter engine delivering a whopping 96 horsepower meant it wasn't exactly "awesome."

Ditto my buddy's 1967 VW Bug. (Come to think of it, his bug might only have had a three-speed transmission).

Re:

[bob4u2c]

The 510 did have a 1.8L and 2.0L option, hard to find these days, but there are tons of different engines you can swap out in the Datsun, 2.2L or 2.4L for under a grand. That will bump up the ponies to 120-140, or 200+ ponies for 2.4L variant. That would make it "awesome" to drive. They also made a stock 5 speed at one point.

Three-speed transaxles for VW's were the semi-automatic kind introduced in 1971, they sucked, stay away at all costs. Stock transaxles on VDubs were four on the floor for pretty m

Re:

[CohibaVancouver]

The 510 did have a 1.8L and 2.0L option

Not as factory / dealer options. The car shipped in North America with the 1.6L.

Swapping in the 1.8, and, to a lesser degree, the 2.0, was a common modification, but you couldn't buy them from the dealer with a 1.8 or 2.0.

IoT cars

[grumpy-cowboy]

Connecting cars to a network is the most stupid idea ever made! Anything connected to a network is hackable. ANYTHING! This is why when I buy a new car, I choose the dumbest version: no "Android/Apple Car", no automated assistance crap (doesn't work in winter here anyway), ...

Re:

[sinij]

What is your next new car going to be?

Re:

[grumpy-cowboy]

Now I have a GMC Sierra (only 3 years old). The most basic version you can think off. Yes I know about OnStar shit. If someone knows how to disable it completely, I'll do it right now!

I didn't plan to have a new car soon but this is at the top of my "features" list: nothing or near nothing connected to a remote network.

Re:

[kackle]

There's got to be an antenna connector somewhere - unscrew its antenna and cover the antenna jack with foil. That should be 99% effective.

On another note, does anyone know whether manufacturers pay for that cellular service on transceiver units not activated by the vehicle owner? I can't imagine that would be cheap, even in volume.

Small preview

[Tablizer]

If war ever breaks out among developed countries, funny sh&t is gonna happen. I'm sure all the big military powers store up databases of monkey wrenches to throw into infrastructures. We already know the software that runs society is chalk full of holes.

Ability to turn off transceivers

[Rick Schumann]

..and THIS is why all motor vehicles should have a hardware switch that totally disables all radio transceivers in the vehicle, preventing outside influence like in this story.