A hacker successfully invaded two GPS location tracking applications, allowing him to monitor the position of tens of thousands of cars, and even shut down some of the car’s engine. The hacker, L&M, successfully penetrated more than 7,000 iTrack accounts and over 20,000 ProTrack accounts, both of which were used to monitor and manage the fleet of vehicles through GPS tracking devices. The hacker can track vehicles in a few countries such as South Africa, Morocco, India, and the Philippines.
According to the settings of some GPS positioning and tracking equipment manufacturers, if the vehicle is parked or the speed is lower than 12 miles per hour, the car engine can be remotely turned off, and the hacker can control the car engine to be shut down after successful invasion. By reverse engineering the ProTrack and iTrack Android apps, L&M said that all customers will get the default password 123456 when they sign up.
He then used the app’s API to extracts millions of user names and then used custom scripts to log in with these usernames and default password. This allowed him to control tens of thousands of accounts using the default password and extract relevant information.
According to the user data sample submitted by L&M to Motherboard, the hacker collected a large amount of information from ProTrack and iTrack customers, including the name and model of the GPS tracking device they used, and the unique ID number of the device (technically called IMEI number). ; username, real name, phone number, email address, and physical address.