Verizon & 500,000 Vehicle Tracking Accounts Exposed On Misconfigured AWS S3

Security researchers have discovered a cache of data left publicly available that could have allowed criminals to track the locations of more than half a million vehicles in the US.

Researchers at Kromtech, makers of the MacKeeper security software, said they came across an Amazon S3 storage repository on 20 September containing login credentials and other details for 540,642 accounts for customers of a vehicle tracking service called SVR (Stolen Vehicle Records) Tracking.

Vehicle tracking

The actual number of vehicles exposed by the incident may have been far more than half a million, since many of the accounts, which were used by SVR’s resellers and clients, include large numbers of tracking devices, Kromtech said.

The data, which was visible to anyone who typed in the URL and wasn’t protected by a password, also included other account details, such as licence plate and vehicle identification numbers (VIN), email addresses and IMEI numbers.

The exposed passwords were stored in hashed form, according to Kromtech. Cryptographic hash functions are commonly used to encode data as a way of keeping it secure, but many such functions have been shown to be easily reversible.

The tracking devices installed by SVR indicate the vehicle’s location around the clock, even if the vehicle hasn’t been reported as missing or stolen, according to the company.

Anyone with access to the vehicle tracking account has access to features including displaying the movements of the vehicle over the past 120 days and pinpointing all the places it has visited on a map.

Hidden units

The software can be accessed via any internet-connected device, including desktops, laptops, mobile phones and tablets.

The tracking units, which are hidden to prevent their removal, collect GPS data and transmit it to SVR’s servers via a GPRS data network. The data exposed also included indications of where the units were hidden, Kromtech said.

The firm said SVR secured the repository shortly after being notified.

SVR confirmed it had been notified of the problem and said it fixed the issue within three hours.

“SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers,” the company stated.

Verizon leak

SVR said it was notified of the issue by Kromtech on 20 September, the same day that the researchers said they uncovered a cache of internal Verizon data that had likewise been stored on a publicly accessible Amazon S3 bucket.

The 100 MB of data didn’t include information directly bearing on Verizon customers, but included usernames and passwords allowing access to Verizon’s internal network and infrastructure.

The data also included 129 internal Verizon email messages that included production logs, server architecture description, passwords and login credentials.

The data, which Kromtech determined had been stored insecurely by a Verizon engineer, related to an internal Verizon middleware system used to retrieve and update billing data.

By default Amazon S3 buckets can be read only by the creator of the account, but can be configured to be read by anyone. The feature has led to a number of inadvertent data exposures in recent months, including a cache of CVs belonging to US ex-military personnel and 198 million voter records held by the Republican National Congress (RNC).

Last month Amazon announced a machine learning-based tool called Macie aimed at spotting such security lapses.

The tool only identifies problems once users have deployed it, and as such it doesn’t automatically mean an end to issues such as those spotted by Kromtech.

How well do you know the cloud? Try our quiz!