Headline
Vulnerabilities in GPS tracker could have “life-threatening” implications
Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.
Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.
The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency (CISA) to publish a Security Advisory titled ICSA-22-200-01: MiCODUS MV720 GPS Tracker.
What’s happened?
The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities. In total, there are 1.5 million of these devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.
If the vulnerabilities are successfully exploited, an attacker could take control of the tracker, giving them access to location, routes, and fuel cutoff commands, as well as the ability to disarm various features like alarms. The found vulnerabilities are very diverse and would imply that the application was not built with security in mind. Or certainly not top of mind.
The vulnerabilities****Hard coded credentials
CVE-2022-2107: The API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.
Improper authentication
CVE-2022-2141: SMS-based GPS commands can be executed without authentication.
Improper neutralization of input during web page generation
CVE-2022-21999: The main web server has a reflected cross-site scripting (XSS) vulnerability that could allow an attacker to gain control by tricking a user into making a request.
Authorization bypass through user-controlled key
CVE-2022-34150: The main web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.
Another authorization bypass through user-controlled key
CVE-2022-33944: The main web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.
Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.
Mitigation
Since MiCODUS has not provided updates or patches to mitigate these vulnerabilities, users are advised to turn the vulnerable devices off.
The researchers first contacted MiCODUS about the vulnerabilities in September 2021, and due to a lack of response CISA and BitSight decided to publish their research.
Related news
By Waqas Elusive APT Group ‘Gelsemium’ Emerges in Rare Southeast Asian Attack, Unveils Unique Tactics. KEY FINDINGS Cybersecurity researchers at… This is a post from HackRead.com Read the original post: Gelsemium APT Group Uses “Rare” Backdoor in Southeast Asian Attack
By Deeba Ahmed The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back… This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of
A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.
Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21997, CVE-2022-22717, CVE-2022-22718.