Vulnerability researchers have found security issues in a GPS tracker that is advertised as being present in about 1.5 million vehicles in 169 countries.Get more news about Car Gps Tracker,you can vist our website!
A total of six vulnerabilities affect the MiCODUS MV720 device, which is present in vehicles used by several Fortune 50 firms, governments in Europe, states in the U.S., a military agency in South America, and a nuclear plant operator.
The risks stemming from the findings are significant and impact both privacy and security. A hacker compromising an MV720 device could use it for tracking or even immobilizing the vehicle carrying it, or to collect information about the routes, and manipulate data.
Considering the roles of many of the device’s users, nation-state adversaries could leverage them to perform attacks that might have national security implications.
For example, MiCODUS GPS trackers are used by the state-owned Ukrainian transportation agency, so Russian hackers could target them to determine supply routes, troop movements, or patrol routes, researchers at cybersecurity company BitSight say in a report today.
Vulnerability details
BitSight looked at the particular MiCODUS model because it is a low-cost ($20) and highly-popular device, it has reliable cellular-enabled tracking features, and could be used for potentially dangerous activities, such as cutting off the fuel.
While not all of the six vulnerabilities BitSight found have received an identification number, they are described as follows:
No assigned CVE: Weak default password (123456) on all MV720 trackers, with no mandatory rule to require the user to change it after initial device set up. (high severity score: 8.1)
CVE-2022-2199: Reflected cross-site scripting (XSS) on the main web server, allowing an attacker to access user accounts, interact with the apps, and view all information accessible to that user. (high severity score: 7.5)
CVE-2022-34150: Insecure direct object reference on the main web server, allowing logged-in users to access data from any Device ID in the server database. (high severity score: 7.1)
CVE-2022-33944: Insecure direct object reference on the main web server, allowing unauthenticated users to generate Excel reports about GPS tracker activity. (medium severity score: 6.5)
BitSight has developed proofs of concept (PoCs) code for the five flaws that received an identification number, demonstrating how they could be exploited in the wild.
Disclosure and fixing
The security firm discovered the critical flaws on September 9, 2021, and attempted to alert MiCODUS immediately but encountered difficulties finding the right person to accept a security report.
The Chinese vendor of the GPS tracker was contacted again on October 1, 2021, but refused to provide a security or engineering contact. Subsequent attempts to contact the vendor in November didn’t yield a response.
Finally, on January 14, 2022, BitSight shared all the technical details of its findings with the U.S. Department of Homeland Security and requested them to engage with the vendor via their communication channels.
Currently, the MiCODUS MV720 GPS tracker remains vulnerable to the mentioned flaws, and the vendor hasn’t made a fix available.
As such, users of these devices are recommended to disable them immediately until a fix is out or replace them with actively supported GPS trackers. To continue using them would be an extreme security risk, especially after this public disclosure.
China-Made GPS Tracker is Found to Be Risk for Vehicle Hacking
Vulnerabilities in a popular GPS tracker made in China and used around the world could allow hackers to disrupt vehicles, cut off their fuel and surveil drivers’ movements, according to new research.Get more news about Car Gps Tracker,you can vist our website!
Several “severe” flaws in the Micodus MV720 tracker affect customers, private companies and government agencies, creating a “high risk” of personal injury, vehicle disablement and supply-chain disruption, according to Boston-based BitSight Technologies. Researchers believe 1.5 million Micodus devices are in use in more than 160 countries.The US Department of Homeland Security issued several warnings Tuesday about the flaws. Micodus didn’t immediately respond to emails and phone calls seeking comment from Bloomberg News since early Monday.
In a statement, Eric Goldstein, executive assistant director for the Cybersecurity Infrastructure Security Agency, a division of DHS, said the agency is not aware of any active exploitation of the vulnerabilities that were identified. The agency encouraged specialists like product integrators to "implement mitigation measures," he said.
GPS trackers used in fleet management can monitor the location of a company’s vehicles. They also can be anti-theft devices, allowing company employees to remotely cut the gas to stymie a carjacker or monitor its fuel consumption, for instance. But if hackers gain access to that same device, they, too, can stop vehicles or track their whereabouts.
The vulnerabilities would allow a bad actor in multiple situations to “easily gain complete control over any GPS tracker of this type,” said Pedro Umbelino, BitSight’s principal security researcher. Some of the vulnerabilities, BitSight said, were rated a 9.8 out of a possible 10, the most severe.
BitSight urged those who have the trackers, which sell for about $20 online, to stop using them until a fix is made available. BitSight said it made repeated attempts to share information about the flaws with the Shenzhen, China-based firm dating back to September 2021 but was “disregarded,” the company said.
BitSight says the trackers are deployed by major firms in the energy, aerospace and technology sectors, as well as an unidentified national government in Western Europe and a national military in Eastern Europe.
Researchers found that Ukraine had the most Micodus GPS trackers in all of Europe, used by a state-owned transportation system and a top bank in Kyiv. That raises the specter that Russian operatives could exploit those flaws, allowing them to track or disable vehicles amid its months-long war against Ukraine.
“The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed,” said BitSight Chief Executive Officer Stephen Harvey. “Our research highlights why it is critical for organizations to consider internet-of-things devices in cyber-resilience efforts.”
You want to track where a vehicle is being driven, or where a person or object is located. But you don’t want to be, well, obvious about it. Then, a battery-powered GPS tracker is often your best solution. They’re the most versatile type of tracker. Typically, they can be magnetically attached to the underside of a vehicle or another metal surface, or placed in a console or cubby. Or they can be carried around in someone’s pocket or attached to something important. All models let you see the tracker’s location on a digital map, review trip histories to see where it’s been, and receive notifications about when it leaves or arrives at designated areas (called geofences). Get more news about Car Gps Tracker,you can vist our website!
Overall, these don’t monitor driver performance as well as plug-in GPS trackers and their batteries typically need to be recharged every couple weeks. But they are more portable and easier to hide. Because these trackers transmit their data over cellular networks, all require a monthly or yearly subscription fee.
This model offers the best combination of price and features. It can send more types of alerts than many competitors, and its app lets you create “geofence” zones of any shape; most trackers limit you to circular areas. For $40, the Optimus 2.0 includes a magnetic, waterproof case, and its monthly fee is one of the lowest we’ve seen.
Its battery lasts up to two weeks when transmitting at its default 60-second intervals, but you can speed up its frequency to every 10 seconds for free. Covered by a lifetime warranty, with an active subscription.
The GL300 is a popular tracker that’s very similar to the Optimus 2.0, but it’s a little more expensive and has more limited features. For $40, it doesn’t include a magnetic case; that’s $20 extra. And while it sends alerts for excessive speed or for leaving or entering a geofence zone, it doesn’t have notifications for vehicle movement or a low battery, as with the Optimus.
With Spytec’s Basic plan, the tracker updates its data every 60 seconds, with up to a 20-day battery life. You can increase its updates to every 30 seconds for $10 more per month.