Posted on May 18, 2018 at 6:17 PM
Phone-Tracking Firm Hacked Thanks to Weak Password Hashing
One of the companies used by police for tracking cell phones in real time, Securus, was hacked due to a credentials leak. The firm has hashed their passwords by using an algorithm called MD5, which allowed hackers to get to them and attack the firm.
Securus loses sensitive data
Securus, which is a firm that provides tracking tools for smartphones to the US police departments has suffered a hacking attack. According to reports, hackers managed to get access to 2,800 data pieces, which includes the firm’s login credentials.
The New York Times has reported that this firm is capable of finding pretty much any phone’s location within seconds, as long as the device is in the country. The company can do this by getting the data which is usually wanted by various marketers. This includes Sprint, Verizon, as well as AT&T. This is a useful service which was originally intended for tracking missing persons, calls to prison inmates, and alike.
After the breach of the firm’s confidential data, the anonymous hacker published a spreadsheet called “Police”. The spreadsheet included 2,800 pieces of various data, including email addresses, usernames, phone numbers, Securus users’ security questions, but also hashed passwords. The data in question spans from 2011 all the way to 2018. The sheet contains information about the company’s staff as well, but also info about government users and law enforcement users from various cities, including Phoenix, Indianapolis, and Minneapolis.
The fault lies with the hashing algorithm
Despite the fact that the passwords were hashed, and thus deemed protected, the hackers still managed to get to them. This is because the team used the MD5 algorithm, which has a hash value of 128-bit. This was once seen as a decent protection, but with the rapid advance of technology and new breakthroughs being made each day, this level of protection is now seen as fatally weak. Big companies like Windows have stopped using this algorithm years ago for this exact reason.
The best practice for achieving security is for the companies to use cryptographic hashing on their passwords. Usually, the recommended algorithms include bcrypt, PBKDF2, or scrypt, since these ones are among the strongest. As for MD5, many have commented that such an algorithm shouldn’t even be used for hashing passwords, ever.
Some passwords that the hackers released were plain text. It is not currently known whether this means that the hacker has managed to crack them himself, or if Securus stored it in this form.
Despite the fact that this is a huge security breach, the incident should not be ignored by the other companies. Instead, they should use it to learn what happens if the company becomes careless when it comes to sensitive data. Important information requires decent protection, and even though companies and firms already know this, it is always good to remember that improving it is a never-ending process.