Researcher hacks fleets and can kill engines via GPS tracking app

News by Robert Abel

Flaw could endanger drivers' lives

A hacker has developed an attack to kill automotive engines by hacking into two GPS fleet manager applications.

A researcher by the name L&M claims to have broken into the accounts of more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts granting him the ability to not only monitor the locations of tens of thousands of vehicles but also turn off the engines of some vehicles while they are in motion, the researcher told Vice’s Motherboard.

This is because on some of the cars using the software include the capability of remotely turning off the engines of a vehicle traveling at 12 miles per hour or slower.

L&M reverse engineered the applications and found that all of the customers were given the default password of 123456 when they signed up, knowing this he was able to brute force the "millions of usernames" via the apps’ API.

"My target was the company, not the customers. Customers are at risk because of the company," L&M told the publication in an online chat. "They need to make money, and don’t want to secure their customers."

L&M said he would never kill any of the vehicles engines as the gesture would be too dangerous, and though he didn’t prove the ability to disable the engine, the apps have a stop engine feature according to a screenshot of the app provided to Motherboard.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop