Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

The MV720 GPS tracker is produced by a China-based business MiCODUS which was informed about the flaws back in September 2021 however it has not fixed the problem.

Cybersecurity startup BitSight has identified 6 flaws in the GPS tracker MV720 made by China-primarily based MiCODUS. According to the IT security researchers at BitSight the vital protection vulnerabilities had been existing in MV720 GPS trackers, employed principally for monitoring car or truck fleets. The vulnerabilities can enable hackers to track, quit, and control automobiles remotely.

For your data, MV720 is a hardwired GPS tracker worthy of all-around $20. The Shenzhen-primarily based MiCODUS electronics maker statements that 1.5 million of its GPS trackers are at this time in use by around 420,000 shoppers throughout 169 international locations.

On top of that, its shoppers consist of several Fortune 50 organizations, shipping, aerospace, governing administration, armed forces, important infrastructure, legislation enforcement businesses, and a nuclear ability plant operator.

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

Vulnerabilities Details

BitSight has detected six extreme vulnerabilities in the abovementioned tracker, which can be simply exploited remotely to track a auto in actual-time, get facts about prior routes, and even cut the vehicles’ engines when in motion.

BitSight’s principal security researcher and report creator, Pedro Umbelino, discussed that the vulnerabilities’ uncomplicated exploitation raises “significant questions” about the company’s solutions as the bugs may possibly not be restricted to just one GPS tracker product. He believes the similar flaws are current in other tracker models.

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles
MV720 GPS tracker

Dangers Posed by the Flaws

In accordance to BitSight’s website article, one flaw in MV720 is in unencrypted HTTP communications, making it possible for hackers to remotely conduct adversary-in-the-center attacks (AiTM) to intercept/transform the requests exchanged among the servers and the mobile application.

Yet another flaw is discovered in the tracker’s authentication mechanism in the cell app, which allows attackers obtain the hardcoded key to lock down the trackers and use a custom made IP deal with. This allows hackers to check and command communications to and from the product.

The vulnerability tracked as CVE-2022-2107 is assigned a severity score of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a learn password. If received by hackers, they can use this passcode to log into the net server and pose as an authentic consumer to ship instructions to the tracker by means of SMS communications.

Therefore, they can completely manage any GPS tracker, entry area particulars, disarm the alarm, improve routes and geofences, and slice off vehicles’ fuel.

Yet another vulnerability tracked as CVE-2022-2141 permits a broken authentication condition in the protocol applied by the tracker to communicate with the MiCODUS server. Then there is a reflected cross-website scripting error recognized in the World wide web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.

In its specialized compose-up , BitSight warned MiCODUS in September 2021 about the flaws. On the other hand, after the company’s lukewarm reaction, CISA and BitSight resolved to make the conclusions community. The vulnerabilities are however unpatched. BitSight endorses that all companies and men and women applying MV720 GPS trackers immediately disable the gadgets until finally they are patched.

Companies and persons applying MV720 units in their autos are at threat. Leveraging our proprietary information sets, BitSight found MiCODUS gadgets used in 169 international locations by companies including governing administration companies, armed forces, and regulation enforcement, as perfectly as businesses spanning a selection of sectors and industries like aerospace, power, engineering, producing, delivery, and extra. Provided the impact and severity of the vulnerabilities uncovered, it is highly advised that customers right away cease working with or disable any MiCODUS MV720 GPS trackers till a repair is made available.

  1. Woman Follows GPS, Goes Straight into Lake
  2. 600,000 GPS child trackers observed vulnerable to location tracking
  3. Stability Flaws in GPS Trackers Places Tens of millions of Devices’ Information at Possibility
  4. Shoddy protection of smartwatch allows hackers obtain your child’s location
  5. Strava’s Global Warmth Map Exposes Consumer Destinations Which include Armed service Bases

Sharing is caring!

Facebook Comments

Leave a Reply