GPS Vehicle Trackers Leak Consumer Data Online

Another day, another data breach. This time, Kromtech Security Center announced that information on more than half a million vehicle tracking devices and their users have been leaked online in a cyberattack.

According to a Forbes news report, the more than 540,000 exposed records included device information like the tracker’s International Mobile Equipment Identity (IMEI), a unique number that gets assigned to devices with cellular connectivity, as well as the username/password hash combinations and email addresses associated with each tracker.

Vehicle information was also exposed, including license plate numbers, VINs and where the tracking device was physically installed. The device monitors everywhere the car has been as far back as 120 days. It can even pinpoint on a map all of the places a driver has visited, and can show anyone with login credentials the vehicle’s top stops or locations.

The data was taken from vehicle recovery device and monitoring company SVR Tracking, which is installed by more than 400 automotive dealerships. In fact, data about the dealers was also leaked.

Security researchers said the leak was due to a misconfigured Amazon AWS S3 bucket that was not properly secured. And this isn’t the first time this has happened: Just a few months ago, it was discovered that multiple gigabytes of Verizon customer data was publicly accessible.

Once SVR was informed of the leak, the bucket was secured. To avoid the problem in the future, Amazon has recently started scanning its S3 cloud storage service for “buckets” that may have been accidentally exposed due to improper configuration.