Widely used vehicle GPS trackers from Micodus are affected by critical vulnerabilities that can be exploited by hackers to stalk people and remotely disable cars, according to cybersecurity company BitSight.
BitSight researchers discovered the flaws last year and the company has been trying to responsibly disclose its findings to China-based GPS tracker supplier Micodus since September 2021. However, its efforts have been unsuccessful and the security holes remain unpatched.
Six vulnerabilities have been identified in the Micodus MV720 GPS tracker, which costs roughly $20 and is widely available, but BitSight believes other products from the same vendor are likely affected as well.
The vendor says 1.5 million of its tracking devices are deployed across 169 countries. The cybersecurity firm’s analysis shows that the products are used in the government, military, law enforcement, aerospace, engineering, shipping, manufacturing and other industries.
The device model analyzed by BitSight provides GPS tracking, anti-theft, fuel cut-off, geofencing and remote control capabilities. It can be controlled using commands sent via SMS or through mobile and web applications.
The product is affected by hardcoded and default password, broken authentication, cross-site scripting (XSS), and insecure direct object reference (IDOR) issues. A threat actor could use various attack vectors, including man-in-the-middle (MitM), authentication bypass through the mobile app, and reprogramming the tracker to use an attacker-controlled IP address as its API server.
In each scenario, a remote attacker could take complete control of the GPS tracker, giving them access to location and other information, and allowing them to disarm alarms and cut off fuel, BitSight warns.
The cybersecurity firm has described several possible scenarios involving exploitation of these vulnerabilities. Hackers could, for instance, stalk high-profile people, as well as regular individuals with the goal of committing a crime, such as a burglary.
Profit-driven cybercriminals could disable a person’s car or a company’s entire vehicle fleet and demand a ransom. If a vehicle is disabled while in motion, it could have serious safety implications.
Since Micodus GPS trackers are also used by government and military organizations, exploitation of the flaws could have national security implications, BitSight warns.
BitSight could not accurately determine how many devices are in use, but monitoring connections to a Micodus server revealed more than 2.3 million connections, including 90,000 connections to the web interface port, which is believed to be a fairly accurate measurement of unique customers.
The highest number of users appear to be in countries such as Mexico, Chile, Brazil, Russia, Spain, Poland, Ukraine, South Africa and Morocco. Researchers have managed to identify some organizations using the Micodus GPS tracker, including national militaries in South America and Eastern Europe, law enforcement and government organizations in Western Europe, and a government ministry in North America.
After seeing that it could not report its findings directly to the vendor, BitSight reached out to the US Cybersecurity and Infrastructure Security Agency (CISA), which assigned five CVE identifiers to the vulnerabilities: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150 and CVE-2022-33944. CISA has also issued its own advisory.
BitSight has made available technical details for each vulnerability and the company has advised Micodus customers to stop using the impacted tracker until a patch is released. Workarounds are not available, the cybersecurity firm says.
SecurityWeek has reached out to the vendor for comment and will update this article if the company responds.
Related: Honda Admits Hackers Could Unlock Car Doors, Start Engines
Related: Many GPS Tracking Services Expose User Location, Other Data
Related: Researchers Find Exploitable Bugs in Mercedes-Benz Cars
