A security company and the US government are advising the public to immediately stop using or minimizing exposure to any popular GPS tracking device, citing a host of vulnerabilities that allow hackers to remotely disable cars while they are moving, track location histories, disable alarms, and shut off fuel.
A review by security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that retails for about $20 and is widely available. The researchers who conducted the review believe that the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed to 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement, and aerospace, shipping and manufacturing companies.
BitSight discovered what it said were six “serious” vulnerabilities in the device that allow for a wide range of possible attacks. A flaw is the use of unencrypted HTTP communication that allows hackers to conduct remote adversary-in-the-middle attacks that intercept or modify requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that allows attackers to access the hard-coded key to lock the trackers and the ability to use a custom IP address that allows hackers to access all communications to and from the device.
The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after months of trying to contact the manufacturer privately. At the time of writing, all vulnerabilities remain unpatched and unaffected.
“BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable those devices until a solution is available,” researchers wrote. “Organizations using a MiCODUS GPS tracker, regardless of model, should be warned of insecurity related to the system architecture, which can compromise any device.”
The US Cybersecurity and Infrastructure Security Administration also warns of the risks posed by the critical security bugs.
“Successful exploitation of these vulnerabilities could give an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel shutdown commands, and disabling various features (e.g., alarms),” agency officials wrote.
The vulnerabilities include one tracked as CVE-2022-2107, a hard-coded password with a priority rating of 9.8 out of a possible 10. Micodus trackers use it as the master password. Hackers who obtain this passcode can use it to login to the web server, impersonate the legitimate user and send commands to the tracker via text messages that appear to come from the GPS user’s mobile number . This check allows hackers to:
• Get full control over any GPS tracker
• Access location information, routes, geofences and tracking locations in real time
• Cut off fuel to vehicles
• Disable alarms and other functions
A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol that the Micodus server and GPS tracker communicate with. Other vulnerabilities include a hard-coded password used by the Micodus server, a reflected cross-site scripting flaw in the web server, and an insecure direct object reference in the web server. The other tracking designations are CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.
“Exploiting these vulnerabilities could have disastrous and even life-threatening consequences,” BitSight researchers wrote. “For example, an attacker could exploit a number of vulnerabilities to save fuel for an entire fleet of commercial or emergency vehicles. Or the attacker could use GPS information to monitor and abruptly stop vehicles on dangerous highways. Attackers can choose to covertly track individuals or make ransom demands to restore disabled vehicles to working order. There are many possible scenarios that could lead to loss of life, property damage, invasion of privacy and a threat to national security.”
Attempts to reach Micodus for comment were unsuccessful.
The BitSight warnings are important. Anyone using any of these devices should turn it off immediately if possible and consult a trained security specialist before using it again.
