Similar to the Viacom leaked that happened earlier this week, Kromtech Security Center discovered a misconfigured Amazon Web Server (AWS) S3 cloud storage that was left accessible to the public. The AWS contained a cached that belonged to SVR, Stolen Vehicle Records. The SVR Tracking service provided its costumers a way to “track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location.” The leaked cache contained around 540,000 SVR accounts that included email addresses, passwords, and vehicle data.
The leaked data also contained information exact information of which the physical tracking unit was located.
“Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.”
Due to the monitoring of the SVR’s car tracking device, anyone that had access to SVR users’ login credentials would be able to track a vehicle as well as create a detailed log of locations that the vehicle has visited. With the given habits of people, the attacked could’ve stole the vehicle or intrude on someone’s home when they were away.
Since Kromtech has alerted the company, the AWS S3 cloud storage bucket has been secured.
Article: http://thehackernews.com/2017/09/hacker-track-car.html
Fred Zajac says
Rich,
A data hack exposing social engineering type information…
It would be a great thing to know if an “Influencer” (Someone who is admired by several people) was going to be somewhere and when. This could lead to a crazy stalker, potential blackmail information, or disastrous terror attacks on high profile people who use the SVR service.
Here is what we should have learned… AWS is easy to use (configure) and cost effective solution, but… the ease of use and number of users makes it a prime target for criminals. The platform’s vulnerabilities are known and searched for by criminals. Many times the data they find is not very valuable, but they may get lucky when a small company stores more valuable data on a server, poorly configured by a friend, relative, or inexperienced IT person.
Younes Khantouri says
Richard,
Thank you for such article. This type of information leakage is worst that losing some other sensitive information such as Full names and addresses, I am saying this because the attackers who were able to get this important information that is including logs of all these vehicles stops would be able to know the daily activities and stops of more Than 540,000 people who use this service. This is very dangerous since they can be able to determine where these people go physically everyday. I feel these people can be under the risk to be attacked physically by thieves.
In the other hand, technically, the locations of these 450,000 vehicles which are registered under these accounts can be defined and stolen easily with the ability to delete all these logs as well as deactivating the tracking devices.