Popular Vehicle GPS Tracker Gives Hackers Admin Privileges Over SMS
Vulnerability researchers have found security issues in a GPS tracker that is advertised as being present in about 1.5 million vehicles in 169 countries.
A total of six vulnerabilities affect the MiCODUS MV720 device, which is present in vehicles used by several Fortune 50 firms, governments in Europe, states in the U.S., a military agency in South America, and a nuclear plant operator.
The risks stemming from the findings are significant and impact both privacy and security. A hacker compromising an MV720 device could use it for tracking or even immobilizing the vehicle carrying it, or to collect information about the routes, and manipulate data.
Considering the roles of many of the device’s users, nation-state adversaries could leverage them to perform attacks that might have national security implications.
For example, MiCODUS GPS trackers are used by the state-owned Ukrainian transportation agency, so Russian hackers could target them to determine supply routes, troop movements, or patrol routes, researchers at cybersecurity company BitSight say in a report today.
BitSight looked at the particular MiCODUS model because it is a low-cost ($20) and highly-popular device, it has reliable cellular-enabled tracking features, and could be used for potentially dangerous activities, such as cutting off the fuel.
While not all of the six vulnerabilities BitSight found have received an identification number, they are described as follows:
- CVE-2022-2107: Hardcoded master password on the API server, allowing an unauthenticated remote attacker to gain complete control of any MV720 tracker, perform cut-off fuel actions, track users, and disarm alarms. (critical severity score: 9.8)
- CVE-2022-2141: Broken authentication scheme allowing anyone to send some commands to the GPS tracker via SMS and run them with admin privileges. (critical severity score: 9.8)
- No assigned CVE: Weak default password (123456) on all MV720 trackers, with no mandatory rule to require the user to change it after initial device set up. (high severity score: 8.1)
- CVE-2022-2199: Reflected cross-site scripting (XSS) on the main web server, allowing an attacker to access user accounts, interact with the apps, and view all information accessible to that user. (high severity score: 7.5)
- CVE-2022-34150: Insecure direct object reference on the main web server, allowing logged-in users to access data from any Device ID in the server database. (high severity score: 7.1)
- CVE-2022-33944: Insecure direct object reference on the main web server, allowing unauthenticated users to generate Excel reports about GPS tracker activity. (medium severity score: 6.5)
BitSight has developed proofs of concept (PoCs) code for the five flaws that received an identification number, demonstrating how they could be exploited in the wild.
Also Read: 8 best OSINT tools for your business
Disclosure and fixing
The security firm discovered the critical flaws on September 9, 2021, and attempted to alert MiCODUS immediately but encountered difficulties finding the right person to accept a security report.
The Chinese vendor of the GPS tracker was contacted again on October 1, 2021, but refused to provide a security or engineering contact. Subsequent attempts to contact the vendor in November didn’t yield a response.
Finally, on January 14, 2022, BitSight shared all the technical details of its findings with the U.S. Department of Homeland Security and requested them to engage with the vendor via their communication channels.
Currently, the MiCODUS MV720 GPS tracker remains vulnerable to the mentioned flaws, and the vendor hasn’t made a fix available.
As such, users of these devices are recommended to disable them immediately until a fix is out or replace them with actively supported GPS trackers. To continue using them would be an extreme security risk, especially after this public disclosure.