Pierluigi Paganini July 20, 2022

Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.

An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.

“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”

The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.

The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.

Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.

MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.

The list of the vulnerabilities discovered by the researchers in September 2021 is reported below:

• CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
• CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
• CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
• CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
• CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
• Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.

The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.

BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”

Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-

“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MiCODUS)

[adrotate banner=”5″]

[adrotate banner=”13″]