You may not be familiar with SVR Tracking, but the San Diego-based company is making headlines right now for allowing private customer data to leak online. The service gives auto dealership and lot owners the ability to locate and recover vehicles, in the event they may need to be repossessed. Unfortunately, in its online travels, Kromtech Security Center came across more than a half million SVR records—540,642, to be exact—sitting in a publicly accessible Amazon S3 bucket.
What kind of information did SVR Tracking leak?
For a lot owner, SVR Tracking provides an extremely helpful service—they can benefit from continuous tracking every two minutes when a vehicle is moving, and a four-hour heartbeat when stopped. The application dashboard offers detailed vehicle data and real-time graphs, so they always know where their vehicles are traveling.
The only problem? This is the type of data that the company accidentally made available to the public in its Amazon bucket.
Anyone who came across the unprotected files would have been able to see:
- Email addresses
- License plate numbers
- Vehicle Identification Numbers (VINs)
- International Mobile Equipment Identity (IMEI) numbers of the GPS devices
- Everywhere a vehicle has been in the last 120 days
- Where the tracking devices were hidden in vehicles
According to Gizmodo, the passwords were stored using a cryptographic hash function, SHA-1. However, this function is two decades old, has known weaknesses, and passwords can be easily cracked.
In addition, other information exposed included:
- 339 logs with vehicle records, including images and maintenance records
- Documents containing SVR client contract information for more than 400 auto dealerships
Has anything been done to secure this data?
In short—yes. But currently, it’s unclear how long the Amazon S3 bucket was open to the public. Kromtech found the exposed data on September 18th, spent a day determining who it belonged to, and then notified SVR Tracking on September 20th. Within three hours, SVR had secured the data, but it never responded to Kromtech and only posted a brief notification about a security incident on its website.
Currently, it is not known who else may have come across the exposed SVR Tracking documents and data. Is there a chance no one saw it—or at least saw it, but didn’t have any interest in using it? Of course. However, depending on how long the information was free for the taking, a lot of damage could have been done. In addition to the simple breach of privacy, thieves could have had the ability to track victims to exact GPS coordinates, remove the hidden vehicle tracking devices, and drive off in their new cars—never to be seen again.