Default passwords are a security hazard in general, and when they affect applications used by firms to keep track of vehicles and perform remote actions like starting or shutting off engines, they can even put people’s lives at risk. A hacker using the moniker L&M claims that this applies to iTrack and ProTrack, two popular vehicle tracking applications.
L&M told Motherboard that he reverse-engineered both apps, which lead him to the discovery that they set a default password for new customers, namely 123456. The hacker then wrote a script to test “millions of usernames” against the default passwords, which enabled him to compromise 7,000 iTrack accounts and 20,000 ProTrack accounts. From then on, he was able to track thousands of cars in various countries including India, Morocco, the Philippines and South Africa. For some of the cars, he could have turned off the engine when they were driving at less than 12 miles an hour.
L&M claims that he never turned off a car engine because his “target was the company, not the customers. Customers are at risk because of the company.” However, he stressed that his access made it possible for him to “make a big traffic problem all over the world,” by shutting off vehicle engines with the press of a button.
The hacker says he contacted the companies for a reward, and got them to focus “on how to secure their service, a little bit.” While iTrack did not respond to Motherboard’s request for comment, ProTrack denied that it’s application has been breached. However, the firm is urging its users to change their password.
Read more: Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps