Auto Tracking Company Leaks Hundreds of Thousands of Records Online
Have you ever heard of the term SVR? The “SVR” stands for “stolen vehicle records.” The MacKeeper Security Center has discovered a repository connected to the vehicle recovery device and monitoring company SVR Tracking. And this is what we’ll cover in this article.
In 2017 researchers found an Amazon AWS S3 bucket (public cloud-based storage) that happened to be misconfigured and left publically available. This breach exposed information on their customers and the reseller network, along with the device attached to the cars.
The repository we mentioned above had records of over half of a million logins and passwords, emails, IMEIs of GPS devices, VIN (vehicle identification number), and other information collected on their devices like customers or auto dealerships. What’s curious, the exposed database also had the data where the tracking unit was hidden precisely in the car.
What was discovered?
A Backup Folder called “accounts” held the record of 540,642 ID numbers, information about accounts including many plates and VINs, hashed passwords, IMEI numbers, emails, and more.
- 71,996 (02/2016)
- 64,948 (01/2016)
- 58,334 (12/2015
- 53,297 (11/2016
- 51,939 (10/2016)
- 41,018 (9/2016)
- 35,608 (8/2016)
- 31,960 (7/2016)
- 31,054 (6/2016)
- 29,144 (5/2016)
- 38,960 (4/2016)
- 32,384 (3/2016)
- 116 GB of Hourly Backups
- 8.5 GB of Daily Backups from 2017
- 339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.
- Document with information on the 427 dealerships that use their tracking information.
The number of devices could be much higher because many of the resellers or clients had multiple devices for tracking.
If you feel at risk, learn how to act after a data breach occurred.
Detailed Tracking 24hrs a Day, Even if The Car Is Not Stolen or Missing
This software tracks wherever the vehicle has been during the last 120 days. What is even more terrifying is that all of the visited places are marked and pinpointed to the map. In addition to that, there’s a feature showing anyone who has login credentials the best locations and stops where the car has been. The so-called “recovery mode” pinpoints every 2 minutes and creates zone notifications. With a 99% successful recovery rate being a great result, user logins and passwords for hundreds of unsuspecting drivers are leaked online?
According to their website “The SVR Tracking service enables lot owners to locate and recover their vehicles with live, real-time tracking and provides stop verification, enabling them to determine potential locations for their vehicles. Alerts will flag owners, making them aware of events of interest. The application dashboard provides real-time graphs and detailed vehicle data suited to tighter control and accurate measurements of vehicle activity.”
One can access the software on any device connected to the internet device (desktop, laptop, mobile, or tablet). The satellite locates the tracking unit and sends the data to its servers using the GPRS Data Network. Think of the potential dangers if cybercriminals find out a car’s location by just logging in with the publicly available credentials and stealing that vehicle?
Shortly after sending the responsible disclosure note, the bucket has been secured, however, no words from the company.
In 2012 there were an estimated 721,053 automobiles stolen in the United States.
With MacKeeper, we aim to make using your Mac easier and safer through reliable technology solutions. MacKeeper comes with the essentials your Mac needs such as a disk cleaner and performance optimizer, as well as tools to protect your privacy and security.