Probably a TLA/FLA-mandated Backdoor
so they can rid themselves of turbulent priests.
Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion. The gadgets are rebranded white box units from Chinese concern ThinkRace …
Hanlon's razor + Occam razor say: Embedded Hardware Vendor doing software. Nothing more, nothing less. That pretty much defines and exemplifies incompetence to the Nth degree with regard to security and the use of the Internet. They just, plain, do not get it.
In any case, all you need to know about the gadget is that it is advertised using professional SPAM off bulletproof hosting (at least in the UK) along with renewables, eye surgery and cold calling confidence courses.
"But session cookie vulnerabilities turn that function - in the worst case scenario - into a means to shut off fuel supply to cars while in motion over the internet."
I would have expected that driving all over the internet was illegal in the first place, so it's a good idea someone came up with the way of stopping these miscreants!
'I would have expected that driving all over the internet was illegal in the first place, so it's a good idea someone came up with the way of stopping these miscreants!'
No, it's fine. Otherwise it wouldn't be called the 'Information Superhighway' would it?
i am the developer in a gps tracking company. Most of the gps tracking systems work using an embedded GSM module, which means you can call the tracker using your cellphone and receive a sms with the current position and speed of your vehicle. Sometimes clients want to know if the driver has a hitchiker in the cabin, thus the microphone capability. However, The microphone is not embedded into the device, it is a separate accessory.
Actually gps tracking systems are pretty weakly secured, pretty much any gps tracking devices i have worked with had no security whatsoever enabled. Its not that it doesnt have the capability, its just that nobody takes the time to configure the tracker correctly. Same goes for the servers. They pretty much accept anything they receive trough an specified tcp or udp port, try to extract position and then save the whole string of data as-is onto a database, which leaves them wide open for sql injections