GPS tracking devices on fleet vehicles have enabled transportation and shipping companies to to streamline operations and improve efficiency for decades. As vehicles have become increasingly computerized, these devices also acted as a gateway for even more data gathering, commonly known as telemetry, which naturally led to them being connected to the internet for realtime data gathering and, of course, remote control capabilities, including the ability to stop engines, apply brakes and even control the steering. And, as is the tendency for all things internet-connected, these GPS systems are vulnerable to hacking, especially if the companies writing the software do dumb things like setting the default password to “123456”.
Who would do such a thing?
You can bet that if you set your default password to something as simple as that, and even publish that fact in the app documentation, someone is going to notice and take advantage, which is exactly what a hacker did when he used this knowledge and bit of code to brute force his way into thousands of user accounts for two widely-used Android apps. Not only was he able to gather confidential user data from the mobile device on which the apps were installed, but he was also able to gain collective access to thousands of vehicles that were managed by the app itself. Both apps also included functionality that, if installed and enabled by the vehicle operator, allowed the engine to be stopped remotely, even if it was in motion (up to 12 MPH supposedly). According to the hacker himself, he had the potential to cause a great deal of chaos, financial damage and potential physical harm if he were to actually follow through on killing engines on thousands (he claims hundreds of thousands) of vehicles, he stopped short of doing so, as his intent was not to hurt individuals but to raise awareness with companies using the flawed platforms. Both apps are developed by firms located in a country that has a reputation for producing products, software and firmware with serious security flaws and alleged backdoors. It’s unclear whether this particular hacker’s efforts will result in any overall improvements in the industry, but since contacting the app firms, at least one of the companies has reached out to its customers to urge them to change their passwords.