Over Half a Million Vehicle Records from SVR Tracking Leaked Online – Thanks to Amazon Web Services Bucket.
SVR Tracking, a renowned vehicle tracker devices manufacturer, has become the latest victim of data exposure. According to Kromtech Security Centre’s research, login data of more than half a million records of SVR Tracking was leaked online making the personal and vehicle-related information of organizations using the devices and drivers potentially vulnerable.
According to Bob Diachenko from Kromtech: “The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking. In the age where crime and technology go hand in hand, imagine the potential danger if cybercriminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?”
The data was available in publicly accessible Amazon Web Services S3 bucket where nearly 540,642 SVR accounts’ information is present. The data included email addresses, passwords, license plates and VIN/vehicle identification numbers.
Leaked data screenshot (Credit: Kromtech)
Kromtech claims that although the available data is of roughly half a million vehicles, there are cases where multiple vehicles are linked with a single record. Currently, the duration for which data remained exposed is not confirmed, but SVR Tracking immediately resolved the issue as soon as it was notified.
SVR’s data leak has also exposed 339 logs, containing a large number of vehicle records such as maintenance records, GPS service data, vehicle pictures and some important documents detailing contract information with 427 car dealerships, which use services of SVR Tracking. The data was stored in a backup folder titled “accounts,” and this folder contained the 540,642 records.
SVR screenshot
The issue is related to a misconfigured AWS S3 bucket. Reportedly, the bucket was not configured appropriately, which is why it was publicly accessible for a certain, unidentified timespan. This was when the data breach occurred. The cache was firstly discovered on 18th September while the AWS bucket was closed when Kromtech informed SVR on 20th September.
SVR Tracking is known for providing expert, reliable Vehicle Recovery solutions through 24/7 surveillance devices installed in automobiles. The basic objective of these devices is to prevent the vehicle from being stolen or towed.
To ensure 24/7 monitoring, the device has to provide live updates of the location of the vehicle, which is a continuous process that is conducted at every two minutes interval when the vehicle is mobile and after every four hours when it is immobile. Vehicle owners can access data of the past 120 days. It must be noted that the device is installed at a secret location inside the vehicle; therefore, any unauthorized individual cannot notice it.
As we mentioned that the vehicle owner can access location of the car in the past 120 days but it relies upon having access to accurate login credentials for the SVR app. The app is compatible with desktops, laptops and all mobile devices. The SVR passwords are hashed with other random data but the problem is that the protection level, which is SHA-1, is quite weak. This means it is very easy for a hacker to crack SVR passwords.
Kromtech researchers have been quite active these days. Previously, the security firm discovered database of 3 million WWE fans. In last one week, Kromtech discovered two high-profile databases publicly available databases including Alaska voters and Viacom database.
[Kromtech]
