Critical flaws in GPS tracker allow ‘catastrophic’ and ‘life-threatening’ hacks

A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or at least minimize exposure to it, citing multiple vulnerabilities that allow hackers to remotely disable cars while they’re moving, location history tracking, disable alarms and cut off fuel.

An assessment by security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe that the same critical vulnerabilities are present in other models of Micodus trackers. The China-based manufacturer says 1.5 million of its tracking devices are deployed in 420,000 customers. BitSight found the device is in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping and manufacturing companies.

BitSight found six “serious” vulnerabilities in the device that allow multiple possible attacks. One drawback is the use of unencrypted HTTP communications, which allows remote hackers to perform man-in-the-middle attacks that intercept or modify requests sent between the mobile application and the supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that could allow attackers to access the trackers’ hard-coded lock key and the ability to use a custom IP address that allows hackers to monitor and control all communications to and from device.

The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally released the findings on Tuesday after months of trying to privately contact the manufacturer. At the time of writing, all vulnerabilities remain unpatched and unpatched.

“BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable those devices until a fix is ​​available,” researchers wrote. “Organizations using a MiCODUS GPS tracker, regardless of model, should be alerted to system architecture insecurities that could put any device at risk.”

The US Cybersecurity and Infrastructure Security Administration also warns of the risks posed by critical security flaws.

“Successful exploitation of these vulnerabilities could allow an attacker to take control of any MV720 GPS tracker, providing access to location, routes, fuel stop commands, and disabling various features (eg alarms),” agency officials wrote.

The vulnerabilities include one tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who obtain this password can use it to log into the web server, impersonate a legitimate user, and send commands to the tracker via SMS messages that appear to come from the GPS user’s mobile number. With this control, hackers can:

• Get full control over any GPS tracker
• Access real-time location information, routes, geofencing and location tracking
• Stop the fuel for the vehicles
• Disable alarms and other features

A separate vulnerability, CVE-2022-2141, results in a broken authentication condition in the protocol that the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hard-coded password used by the Micodus server, a reflected cross-site scripting error in the web server, and an insecure direct reference to an object in the web server. Other trace designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.

“Exploitation of these vulnerabilities can have catastrophic and even life-threatening consequences,” the BitSight researchers wrote. “For example, an attacker could use some of the vulnerabilities to defuel an entire fleet of commercial or emergency vehicles. Or an attacker could use GPS information to monitor and suddenly stop vehicles on dangerous highways. Attackers may choose to secretly track individuals or demand ransom payments to restore disabled vehicles to working condition. There are many possible scenarios that could result in loss of life, property damage, invasion of privacy, and threat to national security.

Attempts to reach Micodus for comment were unsuccessful.

BitSight warnings are important. Anyone using one of these devices should turn it off immediately if possible and consult with a trained security professional before using it again.