540,000 Car Tracking Devices – Leak Discovery Etiquette – #ActiveLeak

Passwords For 540,000 Car Tracking Devices Leaked Online by Swati Khandelwal.

From the post:

Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service.

Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server.

Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen.

The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices.

Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.

Interestingly, the exposed database also contained information where exactly in the car the physical tracking unit was hidden.

It’s not known if anyone else uncovered this data but as usual, there’s no penalty for misconfiguring your Amazon Web Server (AWS) S3 cloud storage bucket.

You will suffer a few minutes, perhaps hours of shame before other data leaks takes your place on the wall of shame, but it won’t be long.

But only after some enterprising security firm has discovered your error and the leak has been fixed. Translate: No adverse consequences for poor security practices. None.

When (not if) you find a mis-configured Amazon Web Server (AWS) S3 cloud storage bucket, post it with #ActiveLeak to Twitter. Makes it a race between the owner and hackers for the data.

You will still get credit for discovering the leak and the owner will learn a valuable lesson. The owner’s lesson being reinforced by whatever other consequences flow from the data leak.

Comments are closed.