A security flaw in GPS tracking applications allowed remote hackers to hijack the car and kill the engine. According to Motherboard, a hacker named L&M allegedly broke into thousands of accounts belonging to users of GPS tracker apps iTrack and ProTrack. The hacker claimed that he’s able to track vehicles in several countries, including South Africa, Morocco, India, and the Philippines.
The flaw gave the hacker access to monitor the locations of tens of thousands of vehicles and even turn off the engines while they were in motion. The hacker stated that he compromised more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts which were used to monitor and manage navigations of the vehicles through GPS tracking devices. The compromised information included, name, the model of the GPS tracking devices, IMEI numbers, usernames, real names, phone numbers, email addresses, and physical addresses.
Protrack is a web-based GPS tracking software which provides live tracking service to the vehicle owners. And, iTrack is a mobile application that provides GPS Tracking Security Systems, GPS Security System India, vehicle tracking system, vehicle protection, and fleet management system.
A couple of months back, an unsecured Elasticsearch database exposed the real-time location data for over 11,000 Indian buses online over three weeks. ElasticSearch, an enterprise search engine, provides technology solutions for powering search functions. According to Justin Paine, the security researcher who discovered the breach, the unprotected server was left visible online without a password exposing real-time GPS and bus route information from 27 Indian transportation agencies via an ElasticSearch server.
The server exposed the data of 26 road transport agencies including Kochi Metro Rail Limited. The exposed information included the details like bus license plates, start-stop stations, route names, GPS coordinates, and details of commuters like usernames and emails.
Paine said he discovered the server using search engines for connected devices on December 5, 2018, and after reaching the Indian Computer Emergency Response (ICERT) team the server was secured on December 22, 2018.