In this day and age, we’re tracked by GPS all the time, particularly in our cars. There are devices that can track vehicles and provide theft protection for both individuals and organizations.
In fact, one popular Chinese-made tracking device sells for as little as $12 on the website Made-in-China.com. According to a report from a cybersecurity firm, the MiCODUS MV720 has an install base of “1.5 million GPS tracking devices in use today across 420,000 customers.” And, if hackers are determined enough and have the right tools, they can use it to launch a “life-threatening” attack on whoever is driving a vehicle equipped with one.
According to Ars Technica, cybersecurity firm BitSight and the U.S. government are advising anyone using the MV720 to immediately disable it, citing critical vulnerabilities in the system that the company isn’t patching.
(Here at The Western Journal, we’ll keep you up to date on the latest in tech with news and analysis you won’t find in the mainstream media. If you support our work, please consider subscribing.)
BitSight found six vulnerabilities hackers can use to gain remote access to the MV720; they identified all of the vulnerabilities as “severe.”
The most severe, as tech website Gizmodo noted, involves “a hardcoded password that is used by all MiCODUS GPS trackers.”
The master password allows “an attacker to log into the web server, impersonate the user and directly send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number,” the report read.
“Using the master password, a remote, unauthenticated attacker can [g]ain complete control of any GPS tracker; [a]ccess location information, routes, geofences, track locations in real-time; [c]ut off fuel to vehicles; and/or [d]isarm alarms and other features.”
The device also has a broken authentication mechanism, which “provides a way to directly send SMS commands to the GPS tracking device as if those messages were coming from the administrator’s mobile device.”
Should this product be recalled?
Some of these commands don’t even require a password to execute, according to BitSight.
BitSight said these vulnerabilities could have “life-threatening implications” if hackers were to target a vehicle or fleet.
“For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways,” the report reads.
“Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions and threaten national security.”
What’s worse, the report said that these vulnerabilities could exist in other devices from the Shenzhen-based MiCODUS.
“BitSight’s research was conducted with the sole purpose of assessing the security of the MV720 GPS tracker and to determine whether an attacker could access a user’s GPS position,” the report notes.
“Although the results surpassed the proposed initial goal, this report does not represent a full security audit of the MiCODUS ecosystem. However, we believe other models may be vulnerable due to security flaws in the MiCODUS architecture. MiCODUS states there are 1.5 million of their GPS tracking devices in use today by individual consumers and organizations.”
Moreover, BitSight said it contacted MiCODUS in September to notify them of the vulnerabilities in the GPS tracker, but they remain unpatched.
That’s why the cybersecurity firm and the federal government’s Cybersecurity and Infrastructure Security Agency decided to go public with their findings last week.
“As of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities. CISA will update the corresponding ICSA to reflect any patches, updates or mitigation information provided by MiCODUS in the future,” CISA said in an advisory.
“CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities.”
Those “defensive measures” included minimizing network exposure for control systems, make sure the control system networks were located behind firewalls and, when remote access is necessary, using a virtual private network to connect securely.
However, CISA acknowledged that “[n]o known public exploits specifically target these vulnerabilities.”
Sure, the MiCODUS MV720 may cost less than $20 and provide plenty of advantages for fleet owners and those concerned about vehicle security. If the device isn’t patched, however, the human cost may be incalculable — if and when a hacker gets around to striking. If this affects you, it’s far better to be safe than to be sorry. There are times when tech can come back around and bite the user, no matter how useful that tech may be — and this certainly feels like it has the potential to be one of them.