Security
Headlines
HeadlinesLatestCVEs

Headline

Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles

Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk

PortSwigger
#xss#vulnerability#web#ios#android#pdf#auth#zero_day

Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk

A raft of zero-day flaws found in a popular automotive GPS tracking device “could have disastrous and even life-threatening implications”, security researchers warn.

Six as-yet-unpatched vulnerabilities unearthed by BitSight researcher Pedro Umbelino affect the API server, GPS tracker protocol, and web server of the MV720 GPS tracker, which was developed by China-based company MiCODUS.

Successful abuse of the bugs could see attackers “cut fuel to an entire fleet of commercial or emergency vehicles”, use GPS data “to monitor and abruptly stop vehicles on dangerous highways”, or “track individuals or demand ransom payments to return disabled vehicles to working condition”, according to research (PDF) from BitSight.

Huge attack surface

According to the cybersecurity firm, the MiCODUS MV720 provides theft protection and fleet management functionality to customers in at least in 169 countries, including a Fortune 50 energy company, a national military in South America, a federal government in Western Europe, a national law enforcement agency in Western Europe, and a nuclear power plant operator.

Alarmingly, BitSight said Umbelino also uncovered security issues associated with the firm’s cloud-based device management interface for the web, iOS, and Android, a finding which means other MiCODUS GPS tracking models could also be insecure. If MiCODUS’ own figures are accurate, that equates to 1.5 million potentially vulnerable devices worldwide.

DON’T MISS ‘Password extraction risk’ in identity provider Okta disputed

With security patches yet to materialize, BitSight has urged users to “immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available”.

A security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) said that “no known public exploits specifically target these vulnerabilities” in the MV720 GPS tracker.

Authentication issues

Two critical authentication issues in the API server, both notching a CVSS score of 9.8, enable “an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number”.

One bug relates to a hard-coded master password (CVE-2022-2107) and the other, resulting from improper authentication (CVE-2022-2141), potentially enables manipulator-in-the-middle (MitM) attacks.

The devices and the mobile interface are preconfigured with the default password ‘123456’, which BitSight classed as a high severity (CVSS 8.1) issue, although CISA declined to assign a CVE. “There is no mandatory rule to change the password nor is there any claiming process”, according to BitSight, which found that 94.5% of 1,000 responding device IDs still had the default password.

With the device ID easily predictable and the server seemingly lacking password brute force mitigations such as rate-limiting, attackers can easily access random GPS trackers.

Read more of the latest IoT security news

A high severity (CVSS 7.5) reflected cross-site scripting (XSS) vulnerability affecting the main web server, meanwhile, could enable attackers to “fully compromise the device”.

The main web server also contains a pair of authenticated insecure direct object reference vulnerabilities, tracked as CVE-2022-34150 (CVSS 7.1) and CVE-2022-33944 (CVSS 6.5).

“Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features” is as potentially dangerous as it is useful, suggested BitSight.

“Unfortunately, the MiCODUS MV720 lacks basic security protections”, and with only “limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem”.

BitSight said it first disclosed the flaws to the vendor on September 9, 2021, and after responding initially, MiCODUS failed to reply to multiple subsequent requests for updates, both from BitSight and CISA. BitSight published its findings yesterday (July 19).

YOU MIGHT ALSO LIKE Jacuzzi customer details could be exposed by SmartTub web bugs, claims researcher

Related news

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

By Deeba Ahmed The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back… This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

Vulnerabilities in GPS tracker could have “life-threatening” implications

Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device. The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.

CVE-2022-34150

The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.

Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of

Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of

Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of

Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of

Unpatched GPS Tracker Security Bugs Threaten 1.5M Vehicles With Disruption

A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig