A US outfit that sells vehicle tracking services has been accused of leaving more than half a million records in a leaky AWS S3 bucket.
The Kromtech Security Centre, which has made belling this particular cat its hobby, says it found a total of 540,642 ID numbers associated with SVR Tracking, an outfit that uses GPS devices to track vehicles so they can be found if their owners fall into arrears on payments.
Kromtech says data left lying around includes “logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships”.
The passwords were hashed. But the database also records where on a particular vehicle the tracking device was hidden.
339 logfiles from the trove included maintenance records for vehicles, among other data, and identified 427 dealerships using SVR’s tracking devices.
Because SVR Tracking doesn’t know when a car might be stolen (or how long will elapse before a theft is discovered) the tracking devices send their location more-or-less continuously back to the company’s database, where it’s kept for 120 days.
That means if a miscreant had accessed the dataset, they would have been able to pinpoint a vehicle’s location for that period of time.
Kromtech says it informed SVR Tracking of the problem and the bucket has since been secured.
SVR Tracking posted a statement on its Website:
While SVR is not in a position to confirm the accuracy of everything reported by others, Kromtech contacted SVR on September 20, at which point we immediately began our own investigation into an incident concerning one of our data repositories. Within 3 hours, SVR fixed the repository configuration vulnerability Kromtech identified. SVR’s investigation into potential unauthorized access to the repository is ongoing, and we will take any further steps reasonably necessary to help safeguard sensitive information pertaining to our customers.