According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), a few unpatched security flaws in the MiCODUS MV720 Global Positioning System (GPS) trackers installed in more than 1.5 million cars might cause the remote interruption of vital activities.
“Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of the global positioning system tracker,” said CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”
Major companies in 169 countries use the $20 tracking devices produced by the China-based MiCODUS firm. They are used in the nuclear power plant, aerospace, energy, engineering, manufacturing, and shipping industries. Chile, Mexico, Morocco, Ukraine, Australia, Russia, Venezuela, Uzbekistan, Brazil, Italy, Indonesia, Poland, and South Africa are the top nations with the most users.
The vulnerabilities, which BitSight discovered while conducting a security assessment, might be used to follow people without their permission, disable automobiles, or even threaten national security, given that military and law enforcement organizations employ the trackers for real-time surveillance. According to BitSight researchers, a nation-state opponent might exploit the tracker’s flaws to acquire information on troop movements, supply lines, and repeated patrols.
The following is a list of vulnerabilities that were reported to MiCODUS in September 2021:
- CVE-2022-2107 (CVSS score of 9.8) – The use of a master password that has been hard-coded might allow an unauthenticated attacker to launch adversary-in-the-middle (AitM) attacks and take over the tracker.
- CVE-2022-2141 (CVSS score of 9.8) – A weakness in the API server’s authentication scheme may allow an attacker to obtain control of the whole flow of communication between the GPS tracker and the originating server.
- No assigned CVE (CVSS score of 8.1) – The use of the default password “123456,” which gives attackers free access to any GPS tracker.
- CVE-2022-2199 (CVSS score of 7.5) – A web server flaw (reflected cross-site scripting, or XSS) that executes arbitrary JavaScript code in the web browser.
- CVE-2022-34150 (CVSS score of 7.1) – A potential disclosure of sensitive data due to an access control flaw caused by Insecure Direct Object Reference (IDOR).
- CVE-2022-33944 (CVSS score of 6.5) – An instance of an authenticated IDOR flaw that might be used to produce Excel reports regarding device activities.
In essence, the weaknesses might be used as weapons to gain access to position, routes, fuel cutoff directives, and the power to disable certain features like alarms. Users of the impacted GPS tracker are encouraged to take precautions to reduce exposure or, in the alternative, to stop using the devices and disable them completely until a remedy is made available by the firm because there is currently no known workaround.
“Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations,” said the researchers. “However, such functionality can introduce serious security risks.”