Vulnerability Management

Researcher hacks fleets and can kill engines via GPS tracking app

A hacker has developed an attack to kill automotive engines by hacking into two GPS fleet manager applications.

A researcher by the name L&M claims to have broken into the accounts of more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts granting him the ability to not only monitor the locations of tens of thousands of vehicles but also turn off the engines of some vehicles while they are in motion, the researcher told Vice’s Motherboard.

This is because on some of the cars using the software include the capability of remotely turning off the engines of a vehicle traveling at 12 miles per hour or slower.

L&M reverse engineered the applications and found that all of the customers were given the default password of 123456 when they signed up, knowing this he was able to brute force the “millions of usernames” via the apps’ API.

“My target was the company, not the customers. Customers are at risk because of the company,” L&M told the publication in an online chat. “They need to make money, and don't want to secure their customers.”

L&M said he would never kill any of the vehicles engines as the gesture would be too dangerous, and though he didn’t prove the ability to disable the engine, the apps have a stop engine feature according to a screenshot of the app provided to Motherboard.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.