A popular GPS tracking device – MiCODUS MV720 GPS tracker – that is installed in vehicles to protect against theft and for vehicle fleet management has been found to contain six severe vulnerabilities that could be remotely exploited by threat actors to gain control of the device.
The MiCODUS MV720 GPS tracker is hardwired into vehicles and allows vehicles to be tracked for fleet management, and also incorporates several anti-theft capabilities including remote control, geofencing, and fuel cut-off. If an attacker were to exploit the vulnerabilities and gain control of the tracker, those functions could be used to monitor the location of vehicles or to activate the anti-theft capabilities.
The vulnerabilities were identified by researchers at BitSight, who warned that it would be possible to hack an entire fleet of vehicles and cut off the fuel supply. If the vehicles were on a freeway at the time, the consequences could be disastrous. The GPS trackers may have been added to fleets of emergency vehicles, potentially causing major disruption to emergency services with life-threatening consequences.
According to the researchers, the tracking devices are used in vehicles in 169 countries, including by government agencies, military, and law enforcement. The researchers say they attempted to contact MiCODUS on multiple occasions between September 9, 2021, and January 14, 2022, before reporting their research and findings to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA attempted to engage the vendor between May 1, 2022, and July 19, 2022, and BitSigfht decided to publish the findings of its research when the vendor failed to engage with CISA or respond to BitSight’s requests.
MiCODUS is a Shenzhen, China-based manufacturer of electronic accessories for automotive vehicles. The company’s GPS tracking devices are used in more than 1.5 million vehicles worldwide. The researchers conducted their research on the MV720 model, which is the least expensive model in the range that has fuel cut-off functionality.
The vulnerabilities could allow a man-in-the-middle attack that would allow the interception and tampering of change requests between the mobile application and supporting servers. In such an attack, the attacker could disable or activate the anti-theft functions, and access location information in real-time for tracking. Rather than protecting against theft, the devices could enable it.
The authentication mechanism is flawed and could be bypassed to access any device via a hardcoded key and send messages to the device and impersonate the GPS owner, allowing an attacker to gain complete control over the device. It is possible to remotely reprogram the GPS tracker to use a custom IP address as its API server, allowing an attacker to monitor and control all communications to and from the device.
CISA has assigned CVE codes to five of the vulnerabilities:
- CVE-2022-2107 – Hardcoded password – CVSS 9.8 (Critical)
- CVE-2022-2141 – Broken authentication – CVSS 9.8 (Critical)
- CVE-2022-2199 – Reflected XSS – CVSS 7.5 (High severity)
- CVE-2022-34150 – Insecure Direct Object Reference – CVSS 7.1 (High severity)
- CVE-2022-33944 – Insecure Direct Object Reference – CVSS 6.5 (medium severity)
The vulnerability that has not yet been assigned a CVSS score is due to the use of a default password. The vulnerability has been assigned a CVSS score of 8.1 (High severity).
Due to the severity of the vulnerabilities, BitSight recommends all users of the affected GPS trackers should stop using them immediately or disable them until MiCODUS issues a fix to correct the vulnerabilities.