A hacker going by the name L&M says he has hacked into more than thousands of accounts belonging to users of GPS tracking apps, giving him the ability to monitor tens of thousands of vehicles - and even turn off the engines for some of them, while they're in motion, according to Motherboard.
He has admitted to hacking into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. He has tracked vehicles worldwide, even in countries like South Africa, Morocco, India, and the Philippines. The software on some cars can be used to turn off the engines of vehicles moving at 12 miles per hour or less.
L&M reverse engineered the ProTrack and iTrack Android apps to find out that all customers are given a default password of 123456 when they sign up. After finding "millions of usernames" the hacker then blasted them all with the default password. He wound up getting access to thousands of accounts as a result.
According to a sample of user data L&M shared, he has scraped information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices’ unique ID numbers, usernames, real names, phone numbers, email addresses, and physical addresses. Four users included in the sample L&M shared confirmed the breach.
The hacker said: “My target was the company, not the customers. Customers are at risk because of the company. They need to make money, and don't want to secure their customers.”
He continued: “I can absolutely make a big traffic problem all over the world. I have fully [sic] control hundred of thousands of vehicles, and by one touch, I can stop these vehicles engines.”
The apps have a feature to “stop engine,” according to a screenshot provided by the hacker - although he says he never has killed a car's engine because it would "be too dangerous". A representative for the makers of one of the hardware GPS tracking devices used by some of the users of ProTrack GPS and iTrack, confirmed that customers can turn off the engines remotely if the vehicles are going under 12 miles per hour.
Rahim Luqmaan, the owner of Probotik Systems, a South African company that uses ProTrack, said about the feature: “That makes it more dangerous. He can actually mess around with [...] our clients and customers.”
ProTrack denied the data breach in an oddly worded email response to media inquiries: “Our system is working very well and change password is normal way for account security like other systems, any problem? What’s more, why you contact our customers for this thing which make them to receive this kind of boring mail. Why hacker contact you?”
That should instill their clients with confidence.
Meanwhile, L&M seems to have successfully held both companies for ransom. When he asked ProTrack for a "reward", they responded: “If we pay you, you will give us the tool and will not hack our account again? How can we make sure about this? Sorry for too many questions, this is the first time we meet this disaster.”
The hacker said he "got what he wanted" from the company.
L&M concluded: “They warned after my attack [sic], and that was a success for me. To force them take care about security. They know now that their customers at risk, So they focused on how to secure their service, a little bit.”