Categories: Security

Verizon & 500,000 Vehicle Tracking Accounts Exposed On Misconfigured AWS S3

Security researchers have discovered a cache of data left publicly available that could have allowed criminals to track the locations of more than half a million vehicles in the US.

Researchers at Kromtech, makers of the MacKeeper security software, said they came across an Amazon S3 storage repository on 20 September containing login credentials and other details for 540,642 accounts for customers of a vehicle tracking service called SVR (Stolen Vehicle Records) Tracking.

Vehicle tracking

The actual number of vehicles exposed by the incident may have been far more than half a million, since many of the accounts, which were used by SVR’s resellers and clients, include large numbers of tracking devices, Kromtech said.

The data, which was visible to anyone who typed in the URL and wasn’t protected by a password, also included other account details, such as licence plate and vehicle identification numbers (VIN), email addresses and IMEI numbers.

The exposed passwords were stored in hashed form, according to Kromtech. Cryptographic hash functions are commonly used to encode data as a way of keeping it secure, but many such functions have been shown to be easily reversible.

The tracking devices installed by SVR indicate the vehicle’s location around the clock, even if the vehicle hasn’t been reported as missing or stolen, according to the company.

Anyone with access to the vehicle tracking account has access to features including displaying the movements of the vehicle over the past 120 days and pinpointing all the places it has visited on a map.

Loading ...

Hidden units

The software can be accessed via any internet-connected device, including desktops, laptops, mobile phones and tablets.

The tracking units, which are hidden to prevent their removal, collect GPS data and transmit it to SVR’s servers via a GPRS data network. The data exposed also included indications of where the units were hidden, Kromtech said.

The firm said SVR secured the repository shortly after being notified.

SVR confirmed it had been notified of the problem and said it fixed the issue within three hours.

“SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers,” the company stated.

Verizon leak

SVR said it was notified of the issue by Kromtech on 20 September, the same day that the researchers said they uncovered a cache of internal Verizon data that had likewise been stored on a publicly accessible Amazon S3 bucket.

The 100 MB of data didn’t include information directly bearing on Verizon customers, but included usernames and passwords allowing access to Verizon’s internal network and infrastructure.

The data also included 129 internal Verizon email messages that included production logs, server architecture description, passwords and login credentials.

The data, which Kromtech determined had been stored insecurely by a Verizon engineer, related to an internal Verizon middleware system used to retrieve and update billing data.

By default Amazon S3 buckets can be read only by the creator of the account, but can be configured to be read by anyone. The feature has led to a number of inadvertent data exposures in recent months, including a cache of CVs belonging to US ex-military personnel and 198 million voter records held by the Republican National Congress (RNC).

Last month Amazon announced a machine learning-based tool called Macie aimed at spotting such security lapses.

The tool only identifies problems once users have deployed it, and as such it doesn’t automatically mean an end to issues such as those spotted by Kromtech.

How well do you know the cloud? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

20 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

21 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

22 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago