Headline
Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles
By Deeba Ahmed The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back… This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles
****The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back in September 2021 yet it has not fixed the issue.****
Cybersecurity startup BitSight has identified six flaws in the GPS tracker MV720 manufactured by China-based MiCODUS. According to the IT security researchers at BitSight the critical security vulnerabilities were present in MV720 GPS trackers, used primarily for tracking vehicle fleets. The vulnerabilities can allow hackers to track, stop, and control vehicles remotely.
For your information, MV720 is a hardwired GPS tracker worth around $20. The Shenzhen-based MiCODUS electronics maker claims that 1.5 million of its GPS trackers are currently in use by over 420,000 customers across 169 countries.
Furthermore, its clients include several Fortune 50 companies, shipping, aerospace, government, military, critical infrastructure, law enforcement agencies, and a nuclear power plant operator.
Vulnerabilities Details
BitSight has detected six severe vulnerabilities in the abovementioned tracker, which can be easily exploited remotely to track a vehicle in real-time, get information about previous routes, and even cut the vehicles’ engines when in motion.
BitSight’s principal security researcher and report author, Pedro Umbelino, explained that the vulnerabilities’ easy exploitation raises “significant questions” about the company’s products as the bugs may not be restricted to one GPS tracker model. He believes the same flaws are present in other tracker models.
MV720 GPS tracker
Dangers Posed by the Flaws
According to BitSight’s blog post, one flaw in MV720 is in unencrypted HTTP communications, allowing hackers to remotely conduct adversary-in-the-middle attacks (AiTM) to intercept/change the requests exchanged between the servers and the mobile application.
Another flaw is found in the tracker’s authentication mechanism in the mobile app, which lets attackers access the hardcoded key to lock down the trackers and use a custom IP address. This enables hackers to monitor and control communications to and from the device.
The vulnerability tracked as CVE-2022-2107 is assigned a severity rating of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a master password. If obtained by hackers, they can use this passcode to log into the web server and pose as an authentic user to send commands to the tracker via SMS communications.
Hence, they can fully control any GPS tracker, access location details, disarm the alarm, change routes and geofences, and cut off vehicles’ fuel.
Another vulnerability tracked as CVE-2022-2141 enables a broken authentication state in the protocol used by the tracker to communicate with the MiCODUS server. Then there’s a reflected cross-site scripting error identified in the Web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.
In its technical write-up , BitSight warned MiCODUS in September 2021 about the flaws. However, after the company’s lukewarm response, CISA and BitSight decided to make the findings public. The vulnerabilities are still unpatched. BitSight recommends that all organizations and individuals using MV720 GPS trackers immediately disable the devices until they are patched.
Organizations and individuals using MV720 devices in their vehicles are at risk. Leveraging our proprietary data sets, BitSight discovered MiCODUS devices used in 169 countries by organizations including government agencies, military, and law enforcement, as well as businesses spanning a variety of sectors and industries including aerospace, energy, engineering, manufacturing, shipping, and more. Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.
BitSight
- Woman Follows GPS, Goes Straight into Lake
- 600,000 GPS child trackers found vulnerable to location tracking
- Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
- Shoddy security of smartwatch lets hackers access your child’s location
- Strava’s Global Heat Map Exposes User Locations Including Military Bases
Related news
Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.
Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.
Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.
Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.