Itrack and Protrack are commercial devices for tracking fleets of commercial vehicles; they can be configured to allow for remote killswitching of the cars' engines, presumably as a theft-prevention measure.
A hacker going by L&M used the fact that the Android apps for interacting with Itrack and Protrack have the same default password ("123456") that users are not forced to change to take control of thousands of cars equipped with the devices. L&M used a credential stuffing attack: using email addresses gleaned from massive breaches to gain access by repeatedly trying different email/password combinations.
Once penetrated, the apps yield up great quantities of information on the compromised users and their vehicles: "name and model of the GPS tracking devices they use, the devices' unique ID numbers (technically known as an IMEI number); usernames, real names, phone numbers, email addresses, and physical addresses."
L&M was able to track the compromised vehicles in realtime, and they say they can also immobilize many of them ("I can absolutely make a big traffic problem all over the world. I have fully [sic] control hundred of thousands of vehicles, and by one touch, I can stop these vehicles engines.")
The vulnerabilities reflect a lackadasical approach to security that we see across multiple industries: not only do the companies allow users to initialize their products without changing the default password, they compound this error by not detecting and preventing credential stuffing attacks. This negligence puts their users' property — and lives — at risk.
Both Itrack and Protrack are now asking their users to change their default passwords. Protrack denies that they have suffered a breach.
Nevertheless, the hacker said he never killed any car's engine, as that would be too dangerous. Though the hacker didn't prove that he was able to turn off a car's engine, a representative for Concox, the makers of one of the hardware GPS tracking devices used by some of the users of ProTrack GPS and iTrack, confirmed to Motherboard that customers can turn off the engines remotely if the vehicles are going under 20 kilometers per hour (around 12 miles per hour.)
The apps have a feature to "stop engine," according to a screenshot provided by the hacker.
Rahim Luqmaan, the owner of Probotik Systems, a South African company that uses ProTrack, said in a phone call with Motherboard that it's possible to use ProTrack to stop engines if a technician enables that function when installing the tracking devices.
"That makes it more dangerous," Luqmaan said about the data breach. "He can actually mess around with […] our clients and customers."
Hacker Can Monitor Cars And Kill Their Engines After Breaking Into GPS Tracking Apps [Lorenzo Franceschi-Bicchierai/Motherboard]