Warning: popular vehicle GPS tracker comes with 6 severe bugs

By exploiting the vulnerabilities of a Chinese tracker, threat actors could control it, cut off fuel, physically stop vehicles, and even surveil their movement.

Cybersecurity company BitSight discovered six “severe” vulnerabilities in the MiCODUS MV720 GPS Tracker that offers anti-theft, fuel cut-off, remote control, and geofencing capabilities.

Shenzhen-based MiCODUS has 1.5 million GPS tracking devices in use today across 420,000 customers, including government, military, law enforcement agencies, and corporations spanning various industries such as aerospace, energy, engineering, manufacturing, shipping, and more.

“The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed,” said BitSight CEO Stephen Harvey.

The vulnerabilities earned as high as a 9.8 CVSS (Common Vulnerability Scoring System; scores range from 0 to 10) score. The potential exploitation of these bugs could lead to:

  • Remotely cutting off the fuel line of a vehicle that is in motion;
  • Gaining access to vehicle location information, user routes, geofences, and real-time location tracking for surveillance purposes;
  • Monitoring and controlling all communications to and from the GPS tracker, including intentionally issuing incorrect vehicle location information to the GPS server.

BitSight said its vulnerability disclosure efforts to MiCODUS “were disregarded.” The company shared its findings with the Cybersecurity and Infrastructure Security Agency (CISA,) and CISA issued a public advisory detailing the notable Common Vulnerabilities and Exposures (CVEs) that were discovered: CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.

“Unfortunately, these vulnerabilities are not difficult to exploit. For example, we discovered that the web interface and mobile app share the same default password, and the GPS tracker has commands that will work even without a password. Basic flaws in this vendor’s overall system architecture raise significant questions about the vulnerability of other models,” Pedro Umbelino, a principal security researcher at BitSight, said.

With the fast adoption of mobile devices and growing interconnectivity, the cyber risk increases significantly if devices are not built with security in mind.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, a former presidential advisor on cybersecurity. “Having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”