Security breach exposes data from half a million vehicle tracking devices
SECURITY RESEARCHERS have uncovered a security breach exposing half a million vehicle tracking accounts and details.
Discovered by Kromtech security1, the breach reveals information about the customers of US vehicle recovery device and monitoring company SVR Tracking2, as well as the physical devices that are attached to the cars.
The exposed data, which includes customer credentials, was unearthed through a misconfigured Amazon AWS S3 bucket that was left publically available, and because it wasn’t protected by a password, could allow anyone to pinpoint locations visited by customers of the vehicle tracking firm.
“The repository contained over a half of a million records with logins, passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships,” said Bob Diachenko, Kromtech’s Chief Communication Officer3.
“Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.
In a Backup Folder called “accounts”, the data contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more.
Kromtech noted that the car tracking software monitors everywhere the car has been back as far as 120 days, including a somewhat terrifying feature that pinpoints on the map all of the places a driver has visited.
Diachenko added that the actual number of vehicles exposed by the incident may have been far more than half a million, since many of the accounts, which were used by SVR’s resellers and clients, include large numbers of tracking devices.
The tracking devices installed by SVR indicate the vehicle’s location around the clock, even if it hasn’t been reported as missing or stolen, according to the company.
“There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been,” added Diachenko. “There is a recovery mode’ that can pinpoint every 2min or create zone notifications .
They claim to have a 99% success rate on recovery but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?”
Shortly after sending responsible disclosure note, the bucket was secured, however, with no word from the company.
SURGERY: Adam Brooks was attacked at NJAC in Birmingham
FOLLOWING NEWS that three men were stabbed during a church service last Sunday, people are asking if the church should be so ‘open’ and if they should provide security training to its frontline volunteers. Last Monday (September 11), a man entered New Jerusalem Apostolic Church (NJAC) in Aston, Birmingham, during its morning service and launched an unprovoked knife attack . Three members were injured in the incident Elder Karl George, Adam Brooks and Jorge George. Brooks, the son of NJAC founders Bishop Melvin and Pastor Yvonne Brooks, underwent surgery as a result of the attack . He subsequently recorded a video from his hospital bed following his operation, which was broadcast live to people that had gathered at the church on September 12 .
In it he encouraged people to level up , and do their best . At the time of writing, the video had been viewed more than 20,000 times on social media . Brooks is now recuperating at home. By their very nature, churches welcome anyone, whatever their background, so that they can attend worship services or benefit from church-run community projects. Most church volunteers who interact with the public, namely ushers and greeters, are usually untrained in security issues but perhaps it s time that this was addressed.
CRIME SCENE: NJAC in Birmingham saw a knifeman enter the building last week (image credit: Sky News)
Deaconess Madge Obaseki is co-director of growthechurchnow.com and a human resources specialist . She believes that now is a good time for churches to consider their security . She told The Voice:
Churches should get together their management committee or board of elders and trustees to formulate some form of strategy on how they can protect the public who visit their premises. She continued:
They would need to look at their frontline workers . They would need to look at their security in terms of their doorways, and preparing staff and would need some form of training in place so that staff know how to deal with people who are aggressive and show signs of mental illness.
She also said that it is imperative for churches to ensure they have employers liability insurance and public liability insurance, in order to protect volunteers, employees and the general public. Retired police officer Leroy Logan is a man with a lot of security experience . During his time at the Metropolitan Police, he was head of the Black Police Association and played a major role in managing security during the 2012 London Olympics . He currently runs his own security firm and says it is key for places of worship to undertake a risk assessment.
All churches, regardless of denomination, should carry out their own risk assessments, which should be part of the whole safeguarding issue for their fellowship and vulnerable people . If they can t do it themselves they can always tap into the local crime prevention officer.
They should be able to give a clear breakdown of the vulnerable areas in their premises and things to consider in the area.
He also advises churches to train volunteers so that they have a basic understanding of security. As head of the National Church Leaders Forum, Reverend Ade Omooba does not want churches to become over cautious because of what happened at NJAC.
We must continue to welcome people within our community with open arms but be mindful of the social pressures that they are under. As far as NJAC is concerned, it is business as usual .
They are not letting the incident stop them from serving others. In a statement they said:
There is a palpable resolve that this incident will not affect the community-focused work, the open arms and open doors policy the church has for the community and the family fellowship that exists in the church.
The Voice is celebrating its 35th birthday this year . Share your Voice memories, comments and birthday wishes on social media, using the following hash tag: #Voice35Years
On 14 September 2017, at Llandudno Magistrates Court, Mark Pursglove and was found guilty of working without a licence, Rachel Williams for aiding and abetting Mr Pursglove, and Alan Williams was found guilty for providing false information. This is not the first time we have prosecuted Mark Pursglove. In February 2016, Mark Pursglove along with his company, Mark Pursglove Security Limited, pleaded guilty at Holyhead Magistrates Court to supplying unlicensed security operatives and providing false information to the SIA. As a result, we revoked Pursglove s licence to prevent him from working or operating in the private security industry.
This meant Pursglove could not personally carry out any licensable activities; nor could he manage, supervise or be a director of any company supplying security operatives to licensable roles. However, on 25 February 2016, Mark Pursglove formed a new security company called MP Security Services Ltd. It operated from the same offices and provided the same staff to the same contracts. Intelligence sent to us pointed to the fact that Mark Pursglove was the acting director of the new company and the sole shareholder.
We investigated MP Security Services Ltd, and found that Mark Pursglove had visited these customers premises shortly after his conviction, to offer reassurances. He had explained that the new company would continue to supply security operatives and that the terms of the contract would remain the same. He had also stated that he would not be involved in the business. During the investigation, we discovered that Mark Pursglove had listed one of his security guards as a company director without the guard s permission and later appointed a friend, Alan Williams, as a director. He also appointed his partner, Rachel Williams, to undertake a managerial and supervisory role. It became clear that Mark Pursglove was trying to disguise his role in the company.
Our investigators suspected that both appointments were false and requested information from Alan Williams, as he was the named director. He provided this information but the SIA doubted its validity and believed that Mark Pursglove continued to run the company himself. As a result, we gathered further evidence and prosecuted Mark Pursglove, Rachel Williams and Alan Williams. They all pled not guilty; however, all were found guilty.
Mark Pursglove was found guilty of acting as an unlicensed manager or supervisor and of acting as an unlicensed security director. This is a section 3 offence under the Private Security Industry Act (PSIA) 2001. Rachel Williams was found guilty for aiding and abetting Mark Pursglove to commit the above offences. Their sentencing was adjourned and will take place at Caernarfon Magistrates Court on 12 October 2017.
Alan Williams was found guilty of providing false information. He was fined 420 and ordered to pay a victim surcharge of 42 and costs of 2750. Nathan Salmon, the Head of SIA Criminal Investigations, said:
Mark Pursglove continued to operate as a provider of security services despite his previous conviction and knowing full well we had revoked his licence. He tried to disguise his own involvement within the company by using others, placing them in key roles within the company and changing the name of his business. Using individuals as a front will not protect businesses from prosecution; the Private Security Industry Act specifically interprets the role and responsibilities of directors and the SIA will assess personal liability, meaning those guilty of offences cannot hide behind others. This strong conviction highlights the fact that security regulation exists in order to protect those who use contracted security services, as well as the general public.
It also helps to ensure the effectiveness of security businesses that operate within the industry.
- The Security Industry Authority is the organisation responsible for regulating the private security industry in the United Kingdom, reporting to the Home Secretary under the terms of the Private Security Industry Act 2001.
The SIA’s main duties are: the compulsory licensing of individuals undertaking designated activities; and managing the voluntary Approved Contractor Scheme.
- For further information about the Security Industry Authority or to sign up for email updates visit www.sia.homeoffice.gov.uk.