A recent hack of two GPS tracker apps (iTrack and ProTrack) yet again demonstrates not only the necessity for user awareness and proper cyber hygiene, but also the need for software and hardware providers to increase their security spend.
According to a report by motherboard.vice.com, a hacker answering under the name of “L&M” was able to hack into thousands of user accounts of the GPS tracker apps, allowing him to access tremendous amounts of PII, to monitor the location of tens of thousands of vehicles, and perhaps most alarmingly, to turn the engines of some vehicles OFF during operation.
L&M reportedly reverse engineered the Android apps iTrack and ProTrack resulting in the realization that all users are initially given the default password “123456”. Unsurprisingly, thousands of accounts never take the simple step of changing the default password. Armed with that information and using a brute-force attack and accompanying script, the hacker was able to access the accounts of users that were (are) still using the default password.
iTrack (made by SEEWORLD) and ProTrack (made by iTryBrand Technology) are based in China. SEEWORLD and iTryBrand sell hardware tracking devices and the associated cloud platforms needed to manage them directly to users, and to companies that then distribute the hardware and services to users. L&M was able to access the accounts of both end users and distributors.