GPS, or Global Positioning Systems, have become a staple of our lives – especially in the transportation sector. Whether you are broadcasting your location for a rideshare or trying to find the quickest way to avoid traffic on your commute it seems that paper maps and printed directions have become a thing of the past. It comes as no surprise that the more we rely on interconnected devices the more susceptible to cyber attacks we become. This is exemplified through the Cybersecurity & Infrastructure Security Agency’s (CISA) Alert about the MV720 GPS tracker, a device from Chinese Supplier, MiCODUS.
According to a report by BitSight the tracker presents six security flaws that can be exploited in attacks that target the physical vehicles in addition to accessing tracking information. The device is used to track the GPS location of vehicles in real time by sending text messages or using an application. This is very useful for companies that manage large fleets of vehicles. The device can also send remote commands to shutdown the vehicle’s fuel circuit. Exploiting these vulnerabilities could impact the supply chain as well as the safety of drivers.
BitSight had reached out to MiCODUS about the discovery vulnerabilities, and after waiting for corrective action to take place, BitSight decided that contact CISA and disclose the vulnerabilities. According to The Record, CISA reported that no patches or updates to fix the security issues are available. Two of the vulnerabilities documented in the National Vulnerability Database (NVD) as Common Vulnerabilities and Exposures (CVEs), CVE-2022-2107 and CVE-2022-2141 were assigned a Common Vulnerability Scoring System (CVSS) score of 9.8, making them critical threats.[1]
CVE-2022-2107 describes an API server authentication mechanism that allows devices to use a hard-coded master password to send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
CVE-2022-2141 describes a vulnerability where SMS-based GPS commands can be executed without authentication.
Other CVEs discovered on the MiCODUS MV720 platform include CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.
CVE-2022-2199 describes a Cross-Site Scripting (XSS) vulnerability with the main MiCODUS webserver, which could allow an attacker to gain control by tricking users into making a request. CVE-2022-2199 has a CVSS score of 7.5.
CVE-2022-34150 describes an authorization bypass vulnerability. The vulnerability authenticates endpoint and parameter device IDs without further verification. CVE-2022-34150 has a base CVSS score of 7.1.
CVE-2022-33944 describes another authorization bypass vulnerability on endpoint and POST parameter “Device ID” which accepts arbitrary device IDs. CVE-2022-33944 has a base CVSS score of 6.5.
For more information on the CVEs associated with the MiCODUS MV720 GPS tracker be sure to look at the CISA alert here.
According to TechCrunch the MiCODUS MV720 GPS tracking units have been installed on more than 1.5 million vehicles and by over 420,000 customers.[2] These vehicles span 169 countries and are used by individuals, government agencies, militaries, law enforcement, and corporations.
The potential impacts of malicious actors taking advantage of the vulnerabilities in the MiCODUS MV720 include the unlawful tracking of individuals using the systems in their vehicles. GPS tracking has been a growing privacy concern of many consumers and now with a vulnerable IoT GPS tracker the privacy of users is at risk. GPS tracking on individuals could lead to burglaries when individuals are tracked leaving their homes or worse. The device also has the ability to send commands to cut fuel to vehicles which could lead to attackers holding vehicles for ransom. These types of attacks, if aimed at distribution companies could lead to supply chain issues and shortages on goods. Finally, because these systems are being used by militaries and law enforcement agencies, nation-state actors could exploit these trackers for intelligence purposes or to cause chaos by disabling emergency vehicles.
Representatives from MiCODUS have not yet introduced patches or updates to address the vulnerabilities. BitSight recommends users disable or discontinue user of the MiCODUS MV720 until a fix is made available. According to BitSight the device typically requires professional installation and may require mechanic consultation to be properly disabled.
This is an example of the ongoing lack of consideration for security in IoT devices. It seems that IoT devices are not sufficiently tested before reaching the market. The vulnerabilities in the MiCODUS MV720 are also representative of a larger trend, which involves an increased reliance on interconnected devices. The increased reliance on these devices leads to a larger attack surface, and ultimately back to the overarching struggle of cyber security as a whole, which is finding the balance between usability and security.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://therecord.media/unpatched-flaws-in-popular-gps-devices-could-let-hackers-disrupt-and-track-vehicles/
[2] https://techcrunch.com/2022/07/19/micodus-gps-tracker-exposing-vehicle-locations/
Comments