A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or at least minimize exposure to it, citing a host of vulnerabilities that allow hackers to remotely disable devices. cars as they move, track location histories, disarm alarms and shut off fuel.
An assessment by security firm BitSight revealed six vulnerabilities in the Micodus MV720, a GPS tracker that retails for around $20 and is widely available. The researchers who conducted the assessment believe that the same critical vulnerabilities are present in other Micodus tracking models. The China-based manufacturer says 1.5 million of its tracking devices are deployed to 420,000 customers. BitSight has found the device in use in 169 countries, with customers including governments, military, law enforcement, and aerospace, maritime, and manufacturing companies.
BitSight discovered what it said were six “serious” vulnerabilities in the device that allow for a host of possible attacks. One of the shortcomings is the use of unencrypted HTTP communications that allow remote attackers to conduct adversary-in-the-middle attacks that intercept or modify requests sent between the mobile app and supporting servers. Other vulnerabilities include a faulty authentication mechanism in the mobile app that can allow attackers to access the hard-coded key to lock trackers and the ability to use a custom IP address that allows hackers to monitor and control all communications to and from the device.
The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally released the findings on Tuesday after months of trying to engage privately with the maker. At the time of writing, all vulnerabilities remain unpatched and unmitigated.
“BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is available,” the researchers wrote. “Organizations using any MiCODUS GPS tracker, regardless of model, should be alerted to the insecurity regarding its system architecture, which can put any device at risk.”
The US Cybersecurity and Infrastructure Security Administration also warns of the risks posed by critical security bugs.
“Successful exploitation of these vulnerabilities could allow an attacker to control any MV720 GPS tracker, providing access to location, routes, fuel cut commands, and disarming various features (e.g. alarms),” agency officials wrote.
The vulnerabilities include one identified as CVE-2022-2107, a hard-coded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as the main password. Hackers who obtain this password can use it to log into the web server, impersonate the legitimate user, and send commands to the tracker via SMS communications that appear to come from the user’s mobile phone number GPS. With this control, hackers can:
• Get full control of any GPS tracker
• Access location information, routes, geofences, real-time tracking locations
• Cut vehicle fuel
• Disarm alarms and other features
A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol used by the Micodus server and GPS tracker to communicate. Other vulnerabilities include a hard-coded password used by the Micodus server, a cross-site scripting error reflected in the web server, and an insecure direct object reference in the web server. Other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.
“Exploitation of these vulnerabilities could have disastrous, even fatal implications,” the BitSight researchers wrote. “For example, an attacker could exploit some of the vulnerabilities to shut off fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could exploit GPS information to monitor and abruptly stop vehicles on dangerous highways. attackers could choose to surreptitiously track individuals or demand ransom payments to restore disabled vehicles to working condition.There are many possible scenarios that could lead to loss of life, property damage, intrusion into life privacy and threaten national security.
Attempts to reach Micodus for comment were unsuccessful.
BitSight warnings are important. Anyone using one of these devices should turn it off immediately, if possible, and consult a qualified safety specialist before using it again.