Vulnerabilities in a GPS tracker used by governments, militaries and Fortune 50 companies could be used to track the locations of high-value targets and disable emergency services
Security researchers have revealed a series of vulnerabilities in a hugely popular GPS tracker that can be exploited to disable the vehicles of some of the world’s most valuable organizations.
The six “serious” vulnerabilities were discovered in the MiCODUS MV720 GPS tracker, which researchers say is installed in 1.5 million vehicles in 169 countries.
The affected vehicles are believed to be used by Fortune 50 companies, militaries, governments, nuclear power plants and law enforcement agencies.
The BitSight researchers who discovered the security flaws said hackers could potentially exploit them to covertly track the vehicles and remotely disable entire fleets.
Being able to track high-value vehicles could potentially lead to tracking government personnel and locating sensitive locations such as safehouses.
BitSight said potential exploits could also lead to the immobilization of emergency vehicles — which then leads to real damage — and the stopping of civilian vehicles on dangerous highways, for example.
The GPS tracker is able to monitor real-time speed, locations and historical routes, and can even remotely shut off the fuel supply in the event of theft, or disable features such as alarms, the researchers said.
The MiCODUS MV720 is a device manufactured in Shenzhen, China, and while the research focused on this model, BitSight said other MiCODUS products could also be vulnerable to the same or similar exploits.
The MV720 tracker usually sells online for about $20 and has been assigned CVE tracking numbers for five of the six vulnerabilities the researchers discovered.
The entire operating chain has also been deemed so serious that CISA has a special safety advice and the CVSSv3 severity score is 9.8/10 because it can be exploited remotely and requires a low level of complexity.
BitSight said CISA has made repeated attempts to publicize the findings with MiCODUS, but the company has been met with disdain. The US Cyber Authority then concluded that the flaws require disclosure.
Breakdown of vulnerability
Hardcoded Password (API Server) – CVE-2022-2107 – CVSSv3 Score: 9.8 (critical)
This is one of the most serious vulnerabilities that allows hackers to perform the most serious actions after exploiting the device, such as disabling alarms and fuel supplies, and vehicle tracking.
“Although the API server has an authentication mechanism, devices use a hard-coded master password that allows an attacker to log into the web server, impersonate the user, and send SMS commands directly to the GPS tracker as if they were from the owner of the device. the GPS. mobile number,” BitSight said.
Broken authentication (API server/GPS tracker protocol) – CVE-2022-2141 – CVSS 3.1 score: 9.8 (critical)
The second critical vulnerability allows hackers to send commands to the device via SMS as if they were the device administrator.
This is because the tracker’s default password is set to 123456, just like the web interface and mobile app. Researchers said this should be changed, but the manufacturer isn’t asking for it, and many installations remain unchanged from the defaults.
The full list of SMS commands includes sending a Google Maps link to the coordinates of the device, changing the password, and factory resetting.
Default password (API server) – no CVE tracker – CVSS 3.1 score: 8.1 (high)
The only vulnerability for which BitSight couldn’t get a CVE tracker was the fact that devices shipped with default passwords that didn’t force a change on the user.
The researchers said this in itself represents a “serious vulnerability”, although unsecured default passwords are all too common on IoT devices.
The other vulnerabilities ranged in score from 6.5 (medium) to 7.5 (high). These were:
CVE-2022-2199, CVSSv3 score: 7.5 (high): A cross-site scripting (XSS) vulnerability could allow an attacker to gain control by tricking a user into requesting CVE -2022-34150, CVSSv3 score: 7.1 (high ): The main web server has an verified Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID”, which accepts arbitrary Device IDs without further verification CVE-2022-33944 , CVSSv3 score: 6.5 (average): The main web server has an IDOR verified vulnerability on the POST parameter “Device ID”, which accepts arbitrary device IDs
Risk of death
BitSight said the plausible risks to high-value individuals are numerous. Everyone from citizens to senior politicians could be tracked, putting personal safety at risk. Hackers can also use tracking data to inform intrusions from wealthy targets such as business leaders.
Hackers can also deploy ransomware on vehicles and demand a ransom to get it working again. The same kind of attack can lead to supply chain problems for some companies.
Emergency services vehicles could be disabled, possibly as a result of a ransomware attack, for example, preventing the services from meeting patient demand and real crime.
In 2020, there was a case in Germany where a woman died while being transported to hospital by an ambulance that was disrupted en route by a ransomware infection.
At the time, it was believed to be the first known case of a cyberattack leading to loss of life, but a police investigation later disproved the idea, saying the woman’s health was so bad she likely would have died anyway.
The risk to life remains, however, and especially since geopolitical relations between the US and China are as tense as they are, experts told BitSight that the idea that China can control US vehicles is “a problem.”
© Dennis Publishing