It’s become unfortunately all too common to wake up in the morning and read about yet another catastrophic data breach that is about to affect the lives of thousands (or even millions) of people around the country. After the initial news broke about the Equifax breach, for example, estimates concerning the number of affected citizens actually rose by about 2.5 million people. Likewise, it was recently revealed that the Yahoo data breach of 2013 was far, far worse than anyone thought — it actually affected all 3 billion accounts that were active during that time.
When someone halfway around the world with malicious intentions suddenly has access to your Yahoo-based email account, that’s one thing. But what would happen if they were able to see a detailed and incredibly precise history of everywhere you’ve driven in the last year? What if they could suddenly see everywhere you’ve been today? What if they could see where you are currently headed right this second?
This is the situation we now face, as security researchers have discovered that data from more than 540,000 GPS-based vehicle trackers suddenly leaked onto the internet in 2017.
The GPS Breach and Kromtech: What Happened
This harrowing situation was first discovered in September, 2017 by the experts at Kromtech. Their own security researchers accidently stumbled on a massive cache of information containing, not only records obtained from more than 540,000 GPS-based vehicle tracker units, but also other identifying information like each device’s IMEI.
IMEI is an acronym that stands for “International Mobile Equipment Identity.” It’s a unique number that gets assigned to each device as soon as it establishes cellular connectivity. Think of it a bit like your GPS unit’s social security number — it’s a way for system administrators (and now, hackers) to tell one device from the other and to learn as much about individual users as possible.
As the researchers began to pour over the hacked cache of information, they were able to view username and password combinations for devices, email addresses that had been associated with each tracker and more. They were even able to obtain license plate numbers, vehicle identification numbers (VINs) and knew where each device was physically installed on the vehicle in question.
Part of the reason why the problem is so widespread is because this particular type of tracker (which Kromtech refused to call out by name for the purposes of security and because this is still an ongoing situation) was used by more than 400 automotive dealerships across the country. Also included in the hack appears to be more than 330 log files, which themselves contained everything from detailed maintenance records to pictures of the vehicles in question.
To make things worse, this is a problem that could have been totally avoided had someone taken a bit more care with their own job. Kromtech was only able to access all of this data in the first place because the Amazon S3 “bucket” that was used to store it was not being properly secured. Indeed, this type of problem has been the source of a number of data breach situations in the past — most notably when multiple gigabytes of customer data from Verizon were revealed to be publicly accessible.
None of this is to say that people should stop using GPS-based vehicle tracker units as soon as possible. Far from it. The technology itself still brings with it a wide range of different benefits that can’t be ignored, like being able to quickly find your vehicle in the event that it is stolen or to monitor the habits of teenage drivers. However, these benefits also come with a potentially dark downside, as well — particularly if the people we’ve trusted to protect our valuable and sensitive personal data don’t seem to have any interest in actually doing so.
As we continue to depend more and more on the wonders of modern technology each day, this is the type of problem that is only going to get worse before it has a chance to get better as time marches on.