A hacker going by the name L&M says he has hacked into more than thousands of accounts belonging to users of GPS tracking apps, giving him the ability to monitor tens of thousands of vehicles – and even turn off the engines for some of them, while they’re in motion, according to Motherboard.
He has admitted to hacking into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. He has tracked vehicles worldwide, even in countries like South Africa, Morocco, India, and the Philippines. The software on some cars can be used to turn off the engines of vehicles moving at 12 miles per hour or less.
Screenshot of one hacked account
L&M reverse engineered the ProTrack and iTrack Android apps to find out that all customers are given a default password of 123456 when they sign up. After finding “millions of usernames” the hacker then blasted them all with the default password. He wound up getting access to thousands of accounts as a result.
According to a sample of user data L&M shared, he has scraped information from ProTrack and iTrack customers, including: name and model of the GPS tracking devices they use, the devices’ unique ID numbers, usernames, real names, phone numbers, email addresses, and physical addresses. Four users included in the sample L&M shared confirmed the breach.
The hacker said: “My target was the company, not the customers. Customers are at risk because of the company. They need to make money, and don’t want to secure their customers.”
He continued: “I can absolutely make a big traffic problem all over the world. I have fully [sic] control hundred of thousands of vehicles, and by one touch, I can stop these vehicles engines.”
The apps have a feature to “stop engine,” according to a screenshot provided by the hacker – although he says he never has killed a car’s engine because it would “be too dangerous”. A representative for the makers of one of the hardware GPS tracking devices used by some of the users of ProTrack GPS and iTrack, confirmed that customers can turn off the engines remotely if the vehicles are going under 12 miles per hour.