Vulnerabilities in popular GPS tracker could allow hackers to remotely stop cars

Six vulnerabilities in the MiCODUS MV720 GPS tracker that’s used by organizations around the world to manage and protect vehicle fleets could be exploited by attackers to remotely cut fuel to or abruptly stop vehicles.

“Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition,” BitSight researchers noted, and added that “there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.”

The vulnerabilities

The MiCODUS MV720 is a hardwired GPS tracker through which fleet owners can track vehicles (especially when they are stolen), cut off fuel to them, geofence them so they can’t be driven outside specific areas, and generally have remote control over the vehicles. Unfortunately, the discovered flaws may offer attackers the same capabilities.

The researchers found authentication vulnerabilities that may allow attackers to send SMS commands to a vulnerable GPS tracker and may result in those commands being executed. Also, vulnerabilities that would allow attackers to gain control of vulnerable devices and bypass authentication to access data stored by any device in the server database (e.g., data about the user, the vehicle, usage statistics, etc.).

So far, nothing unusual – egregious security vulnerabilities are regularly discovered in Internet of Things (IoT) devices. The main problem here is that the researchers believe these vulnerabilities can be found in other models of MiCODUS’s devices, and the fact that the Chinese company stonewalled the researchers when they tried to privately share their findings with the company’s security or engineering department.

This ultimately resulted in BitSight researchers sharing the info with the US Cybersecurity and Infrastructure Security Agency (CISA), which in turn shared the info with the company – but has also not heard back from them.

As things currently stand, the vulnerabilities have yet to be fixed and it’s unknown if and when the manufacturer plans to do it.

What to do?

“BitSight observed 2,354,603 connections to the MiCODUS server across 169 countries. We observed usage of MiCODUS devices by a wide range of organizations, including a Fortune 50 energy company, a national military in South America, a national government in Western Europe, a national law enforcement organization in Western Europe, and a nuclear power plant operator,” the researchers shared, though they noted that they were unable to determine the number of the vulenrable MiCODUS MV720 devices deployed globally.

“Most North American organizations using MiCODUS devices are in the manufacturing sector, while those in South America tend to be government institutions. MiCODUS users in Europe belong to a more diverse group of sectors, ranging from finance to energy. Authorities around the globe should consider these geographic differences in sector usage to better understand the potential ramifications of an attack exploiting vulnerabilities in MiCODUS devices.”

Individuals around the world also often use MiCODUS GPS trackers it as an anti-theft device.

While CISA offered advice on a number of defensive measures users can make to minimize the risk of exploitation of the vulnerabilities, the best course of action would be for users to stop using the vulnerable trackers until a fix is made available.

“Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk,” BitSight researchers pointed out.