Researcher hacks fleets and can kill engines via GPS tracking app

April 29, 2019

A hacker has developed an attack to kill automotive engines by hacking into two GPS fleet manager applications.

A researcher by the name L&M claims to have broken into the accounts of more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts granting him the ability to not only monitor the locations of tens of thousands of vehicles but also turn off the engines of some vehicles while they are in motion, the researcher told Vice’s Motherboard.

This is because on some of the cars using the software include the capability of remotely turning off the engines of a vehicle traveling at 12 miles per hour or slower.

L&M reverse engineered the applications and found that all of the customers were given the default password of 123456 when they signed up, knowing this he was able to brute force the “millions of usernames” via the apps’ API.

“My target was the company, not the customers. Customers are at risk because of the company,” L&M told the publication in an online chat. “They need to make money, and don't want to secure their customers.”

L&M said he would never kill any of the vehicles engines as the gesture would be too dangerous, and though he didn’t prove the ability to disable the engine, the apps have a stop engine feature according to a screenshot of the app provided to Motherboard.

Researcher hacks fleets and can kill engines via GPS tracking app

Related

Armoring the Unified Extensible Firmware Interface (UEFI), from Standards to Open Source – Vincent Zimmer – BTS #6

Post-exploitation attack method exposes Okta passwords

New .NET developer-targeted attack leverages malicious NuGet packages

Related Events

Generative AI: Understanding the AppSec risks and how DAST can mitigate them

Evading exploit emergencies: Tanium’s keys to prevention & detection

Part 2: Endless endpoints, one solution: A new strategy for simplifying endpoint management

Get daily email updates