Security researchers have discovered a cache of data left publicly available that could have allowed criminals to track the locations of more than half a million vehicles in the US.
Researchers at Kromtech, makers of the MacKeeper security software, said they came across an Amazon S3 storage repository on 20 September containing login credentials and other details for 540,642 accounts for customers of a vehicle tracking service called SVR (Stolen Vehicle Records) Tracking.
The actual number of vehicles exposed by the incident may have been far more than half a million, since many of the accounts, which were used by SVR’s resellers and clients, include large numbers of tracking devices, Kromtech said.
The data, which was visible to anyone who typed in the URL and wasn’t protected by a password, also included other account details, such as licence plate and vehicle identification numbers (VIN), email addresses and IMEI numbers.
The tracking devices installed by SVR indicate the vehicle’s location around the clock, even if the vehicle hasn’t been reported as missing or stolen, according to the company.
Anyone with access to the vehicle tracking account has access to features including displaying the movements of the vehicle over the past 120 days and pinpointing all the places it has visited on a map.
The software can be accessed via any internet-connected device, including desktops, laptops, mobile phones and tablets.
The tracking units, which are hidden to prevent their removal, collect GPS data and transmit it to SVR’s servers via a GPRS data network. The data exposed also included indications of where the units were hidden, Kromtech said.
The firm said SVR secured the repository shortly after being notified.
SVR confirmed it had been notified of the problem and said it fixed the issue within three hours.
“SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers,” the company stated.
SVR said it was notified of the issue by Kromtech on 20 September, the same day that the researchers said they uncovered a cache of internal Verizon data that had likewise been stored on a publicly accessible Amazon S3 bucket.
The 100 MB of data didn’t include information directly bearing on Verizon customers, but included usernames and passwords allowing access to Verizon’s internal network and infrastructure.
The data, which Kromtech determined had been stored insecurely by a Verizon engineer, related to an internal Verizon middleware system used to retrieve and update billing data.
By default Amazon S3 buckets can be read only by the creator of the account, but can be configured to be read by anyone. The feature has led to a number of inadvertent data exposures in recent months, including a cache of CVs belonging to US ex-military personnel and 198 million voter records held by the Republican National Congress (RNC).
Last month Amazon announced a machine learning-based tool called Macie aimed at spotting such security lapses.
The tool only identifies problems once users have deployed it, and as such it doesn’t automatically mean an end to issues such as those spotted by Kromtech.
How well do you know the cloud? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…