A white-hat hacker, who goes by the name of L&M, recently discovered significant vulnerabilities in two GPS-tracking apps. He found alarming cybersecurity risks concerning iTrack and ProTrack vehicle-tracking GPS apps. Many companies use these to track and manage their commercial vehicle fleets.
He reported his findings to Motherboard, submitting all the collected user data in a mission to help brands offering connected products protect their customers. Here’s what he discovered.
Remotely Stopping Car Engines All Around the World
L&M tracked connected cars all over the world. He accessed more than 7000 iTrack accounts and more than 20,000 ProTrack accounts.
L&M then found out that he could remotely turn off engines on some of the cars using those apps. He hacked well over 27,000 different users. All of them were using the default app password (i.e., 123456), which enabled him to gain access to their accounts.
It also gave him access to the main system of their connected cars. As a result, he could stop the engine on any car traveling 12 mph or slower.
This obviously poses a massive threat to traffic and road safety on a global scale. First of all, cybercriminals could easily cause traffic accidents. But they could also use ransomware to extort money from owners of connected vehicles.
The L&M hacker may have potentially saved thousands of lives by discovering these security flaws. His mission to test various cybersecurity limits was definitely beneficial. It helped brands offering connected products to eliminate these vulnerabilities to keep their customers safe.
As L&M hacker told Motherboard in an online chat: “My target was the company and not the customers. Customers are at risk because of the company.”
All the affected users of the two apps immediately received an email urging them to change their passwords.
Experts Weigh in on Raising the Bar on Security
Raising the bar on security is an absolute must when it comes to connected cars. Take a look at what some industry experts have to say about. How can people protect their vehicles and sensitive data?
Virtualized Networking for Protecting Data in Motion
Dispersive Networks is a company focused on improving the security of mobility. It offers advanced network security optimization software for keeping data in motion secure. It includes all the apps and endpoints that use that data.
The company’s CTO, Rick Conklin, recently spoke about the software. He explained how it raises the bar on security.
It’s focused on moving the attack vector away from the applications using network virtualization. It especially paid attention to authenticating and authorizing users before giving them access to the network.
That way, the network allows only authorized users. Any potential unauthorized user is instantly and silently blocked. It achieves that by making the endpoints invisible on the network. No port scans or DDoS attacks can detect the endpoints. Therefore, they can‘t exploit their vulnerabilities.
All that cybercriminals would be able to see is that an endpoint is sending and receiving data to and from the network. They wouldn’t be able to administer any attack, simply because they couldn’t find the endpoints.
Conklin also stated that the software encrypts all frames and packets. It also hides all fingerprints, TLS artifacts, and information about sources and destinations. “It’s what we normally call a low-probability of intercept use case, and it also ensures low probability of infiltration of the endpoint,” he said.
The Most Important Innovation Is the Security of Mobility
Don DeLoach recently spoke about progressing to the cyber-physical world. He is CEO of Rocket Wagon Venture Studios; a venture studio company focused on IoT innovation.
We are moving toward a world where everyone drives autonomous vehicles. But cybercriminals are still breaking the trust people need to embrace driverless cars.
“The market demands will drive innovation of all types, but among the most important will be innovation regarding security, especially in the realm of mobility,” DeLoach said.
Using Blockchain and Moving Away from Outdated Security Mechanisms
Michael Hathaway is the founder of Ironbridge Enterprise, which offers blockchain-based edge computing apps for enterprises. He expressed concerns about outdated security mechanisms.
People are still using antiquated security measures to protect their confidential data. This is precisely what leads to various hacking scenarios.
Hathaway advises that everyone move away from outdated username and password authentication methods. He says that both humans and machines must ensure their full digital security before connecting to a shared network.
Moreover, they should protect the IoT with blockchain technology. It will help establish a high level of security across distributed systems.
Securing your car with a VPN
The technologies mentioned above will certainly help protect people on the road and keep their sensitive data safe and secure. However, there’s another excellent solution for securing the IoT that suits regular users’ needs.
One of the most effective ways to do it is by using a Virtual Private Network. It encrypts internet connections, making users completely anonymous online. That way, it prevents cybercriminals from accessing IoT devices and their data.
When you install a VPN app on your phone, it encrypts all of your internet traffic, making it inaccessible to hackers. This way, they can’t get to your vehicle through your smartphone.
When choosing the right VPN for your needs, be sure to look for a no log VPN. A provider that keeps no logs on their users, including their online activity, is much safer in terms of online security. If someone ever happens to hack them, they wouldn’t be able to gain access to any user data.
Connected cars are incredibly convenient, but they do come with cybersecurity risks. They definitely demand immediate attention. But, fortunately, experts in the industry are already taking steps to enhance security.