A security company and the US government is advising the public to immediately stop using the popular GPS tracking device or at least minimize its exposure, citing a series of vulnerabilities that make it difficult for hackers to can remotely disable cars while they are in motion, track location history, disarm alarms and cut fuel.
An assessment from security firm BitSight found six vulnerabilities in Micodus MV720, a GPS tracking device that sells for about $20 and is widely available. The researchers who performed the review believe that similar critical vulnerabilities are present in other models of Micodus trackers. The China-based manufacturer says its 1.5 million trackers are deployed across 420,000 customers. BitSight sees the device in use in 169 countries, with customers including governments, the military, law enforcement and aviation, shipping and manufacturing companies.
BitSight has discovered what it says are six “severe” vulnerabilities in the device that allow a wide range of possible attacks. One vulnerability is that the use of unencrypted HTTP communications makes it possible for remote attackers to perform adversary attacks to intercept or alter requests sent between the mobile application and support servers. aid. Other vulnerabilities include a flawed authentication mechanism in the mobile app that could allow attackers access to a hardcoded key to block trackers and the ability to use arbitrary IP addresses. Adjustment makes it possible for hackers to monitor and control all incoming and outgoing communications of the device.
The security company said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally made their findings public on Tuesday after trying for months to privately interact with the manufacturer. As of the time of writing, all security vulnerabilities remain unpatched and unresolved.
“BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS trackers turn off these devices until a fix is available,” the researchers said. Written. “Organizations using any MiCODUS GPS tracker, regardless of model, must be alerted to the insecurity associated with its system architecture, which could cause any any device at risk.”
The US Cybersecurity and Infrastructure Security Agency is also warning about the risks posed by critical security flaws.
“Successful exploitation of these vulnerabilities could allow an attacker to take control of any MV720 GPS tracking device, granting access to location, route, fuel cut commands, and disabling features. various functions (e.g. alarm),” agency officials Written.
The vulnerabilities include one tracked as CVE-2022-2107, a hard-coded password that has a severity rating of 9.8 out of 10. Micodus trackers use it as such. a master password. Hackers who obtain this passcode can use it to log into web servers, impersonate legitimate users, and send commands to trackers via SMS communications that appear to come from a GPS user’s mobile number. . With this control, hackers can:
• Take full control of any GPS tracking device
• Access location information, routes, geo-fencing and location tracking in real time
• Cut off fuel for vehicles
• Turn off alarms and other features
A separate vulnerability, CVE-2022-2141, results in a broken authentication state in the protocol that the Micodus server and GPS tracker use to communicate. Other security vulnerabilities include hard-coded passwords used by the Micodus server, cross-site scripting errors reflected in the Web server, and insecure direct object references in the Web server. Other follow-up indications include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.
“Exploiting these vulnerabilities can have disastrous and even life-threatening consequences,” the BitSight researchers wrote. “For example, an attacker could exploit some of the vulnerabilities to cut off fuel for an entire fleet of commercial or emergency vehicles. Or, an attacker could use GPS information to track and make a sudden stop on a dangerous highway. Attackers can choose to stealthily spy on individuals or demand a ransom to return disabled vehicles to working condition. There are many possible circumstances that can lead to loss of life, property, invasion of privacy, and a threat to national security.”
Attempts to contact Micodus for comment have been unsuccessful.
BitSight alerts are important. Anyone using one of these devices should turn it off immediately, if possible, and consult a trained security professional before using it again.
