A popular GPS tracker used in millions of vehicles around the world has been found to have multiple very serious vulnerabilities, allowing threat actors to track the vehicles’ location, disable the vehicles completely, shut off their fuel and operate the devices. from a distance.
To make matters worse, the manufacturer doesn’t seem interested in fixing the flaws at all.
A report (opens in new tab) by BitSight said the MiCODUS MV720 GPS Tracker, a Chinese product, contained six very serious vulnerabilities. These are now tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944, one of which has a severity score of 9.8.
What gets worse is the fact that the flaws aren’t that hard to exploit. Pedro Umbelino, chief security researcher at BitSight, says the company found that the web interface and mobile app share the same default password, while the GPS tracker accepts certain commands even without authentication.
“Basic flaws in this vendor’s overall system architecture raise important questions about the vulnerability of other models,” he concluded.
The worst part is that the manufacturer doesn’t seem all that interested in plugging these gaps. BitSight says it has contacted the company, but the warnings fell on deaf ears: “BitSight shared its investigation with the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security as its efforts to disclose vulnerabilities to MiCODUS were ignored”, report stated.
Until the manufacturer fixes the issues, the company concluded, businesses and individuals should stop using the MiCODUS MV720 GPS Tracker, as the risk is far too great. Currently, MiCODUS has more than 420,000 customers, including government, military, law enforcement and Fortune 1000 companies, BitSight claims.
“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, an internationally renowned national security expert and former presidential adviser on cybersecurity.
“With the rapid growth in the use of mobile devices and the desire for our society to be more connected, it’s easy to overlook the fact that GPS tracking devices like this can significantly increase cyber risk if not built. with safety in mind. BitSight’s research findings show how having a secure IoT infrastructure is even more important when these vulnerabilities can be easily exploited to affect our personal security and national security, leading to extreme results such as a massive disruption of fleet management and even loss of life.”