Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

The MV720 GPS tracker is manufactured by a China-based corporation MiCODUS which was knowledgeable about the flaws again in September 2021 however it has not fastened the problem.

Cybersecurity startup BitSight has recognized six flaws in the GPS tracker MV720 created by China-based MiCODUS. According to the IT stability researchers at BitSight the essential stability vulnerabilities have been present in MV720 GPS trackers, made use of mainly for monitoring motor vehicle fleets. The vulnerabilities can make it possible for hackers to monitor, cease, and control motor vehicles remotely.

For your facts, MV720 is a hardwired GPS tracker truly worth all over $20. The Shenzhen-centered MiCODUS electronics maker statements that 1.5 million of its GPS trackers are currently in use by over 420,000 shoppers throughout 169 nations around the world.

On top of that, its purchasers include various Fortune 50 companies, delivery, aerospace, governing administration, navy, important infrastructure, regulation enforcement companies, and a nuclear ability plant operator.

Vulnerabilities Details

BitSight has detected six significant vulnerabilities in the abovementioned tracker, which can be very easily exploited remotely to track a car or truck in authentic-time, get information about preceding routes, and even lower the vehicles’ engines when in motion.

BitSight’s principal stability researcher and report writer, Pedro Umbelino, stated that the vulnerabilities’ simple exploitation raises “significant questions” about the company’s products and solutions as the bugs may not be limited to one GPS tracker design. He believes the exact same flaws are current in other tracker types.

Risks Posed by the Flaws

According to BitSight’s site put up, a person flaw in MV720 is in unencrypted HTTP communications, allowing for hackers to remotely carry out adversary-in-the-middle assaults (AiTM) to intercept/alter the requests exchanged concerning the servers and the mobile software.

An additional flaw is discovered in the tracker’s authentication system in the cell application, which lets attackers accessibility the hardcoded crucial to lock down the trackers and use a tailor made IP tackle. This permits hackers to check and regulate communications to and from the machine.

The vulnerability tracked as CVE-2022-2107 is assigned a severity rating of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a learn password. If acquired by hackers, they can use this passcode to log into the internet server and pose as an authentic person to mail commands to the tracker by means of SMS communications.

As a result, they can entirely command any GPS tracker, entry locale facts, disarm the alarm, adjust routes and geofences, and minimize off vehicles’ fuel.

Yet another vulnerability tracked as CVE-2022-2141 permits a broken authentication point out in the protocol utilized by the tracker to talk with the MiCODUS server. Then there’s a mirrored cross-web-site scripting error discovered in the Web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.

In its technological write-up , BitSight warned MiCODUS in September 2021 about the flaws. On the other hand, immediately after the company’s lukewarm reaction, CISA and BitSight resolved to make the findings public. The vulnerabilities are nevertheless unpatched. BitSight endorses that all corporations and persons applying MV720 GPS trackers quickly disable the equipment until eventually they are patched.

Businesses and persons utilizing MV720 equipment in their vehicles are at risk. Leveraging our proprietary knowledge sets, BitSight learned MiCODUS units used in 169 countries by organizations like federal government agencies, military, and law enforcement, as perfectly as corporations spanning a wide range of sectors and industries such as aerospace, strength, engineering, manufacturing, delivery, and far more. Offered the impact and severity of the vulnerabilities discovered, it is highly suggested that people quickly cease applying or disable any MiCODUS MV720 GPS trackers right until a take care of is built offered.

BitSight

A lot more Linked Matters

1. Woman Follows GPS, Goes Straight into Lake
2. 600,000 GPS baby trackers discovered susceptible to area monitoring
3. Protection Flaws in GPS Trackers Puts Hundreds of thousands of Devices’ Knowledge at Threat
4. Shoddy stability of smartwatch lets hackers accessibility your child’s place
5. Strava’s Worldwide Warmth Map Exposes Person Areas Which include Armed service Bases