Popular GPS tracking software for vehicles grants hackers SMS admin rights
A GPS tracker that is said to be installed in nearly 1.5 million automobiles across 169 nations has security flaws, according to vulnerability researchers.
The MiCODUS MV720 device, which is found in vehicles utilised by many Fortune 50 companies, European governments, American states, a South American military agency, and nuclear plant operators, has a total of six vulnerabilities.
The findings pose serious dangers that have an effect on both security and privacy. A hacker with access to an MV720 device might use it to modify data, track or even immobilise the vehicle transporting it, or gather route data.
Given the functions played by many of the device’s users, nation-state adversaries might utilise them as a platform for attacks that might have an impact on national security.
According to specialists at cybersecurity firm BitSight, Russian hackers may target MiCODUS GPS trackers, which are employed by the state-owned Ukrainian transportation service, to ascertain supply routes, army movements, or patrol routes.
Vulnerability details
BitSight looked at the specific MiCODUS model since it is an affordable ($20) and widely used gadget, offers dependable cellular-enabled tracking functions, and might be used for potentially hazardous tasks like switching off the fuel.
Although not every one of the six vulnerabilities that BitSight discovered has a unique identification number, they are all summarised as follows:
- CVE-2022-2107: An unauthenticated remote attacker may take full control of any MV720 tracker, cut off fuel, track users, and disable alarms thanks to the API server’s hardcoded master password. (critical severity score: 9.8)
- CVE-2022-2141: Anyone can send commands to the GPS tracker through SMS and run them with administrator rights thanks to a broken authentication system. (critical severity score: 9.8)
- No assigned CVE: All MV720 trackers have a weak default password (123456), and there is no law requiring the user to update it after the device is initially set up. (high severity score: 8.1)
- CVE-2022-2199: Reflected cross-site scripting (XSS) on the primary web server, which gave an attacker access to user accounts, let them utilise the apps, and let them see all the data that was available to that user. (high severity score: 7.5)
- CVE-2022-34150: Logged-in users can access data from any Device ID in the server database thanks to an unsafe direct object reference on the main web server. (high severity score: 7.1)
- CVE-2022-33944: Unauthenticated users are able to create Excel reports about GPS tracker activities thanks to an insecure direct object reference on the main web server. (medium severity score: 6.5)
For each of the five defects assigned an identifying number, BitSight has created proofs of concept (PoCs) code that illustrates how it is possible to exploit it in the real world.
Disclosure and fixing
On September 9, 2021, the security company sought to notify MiCODUS of the serious issues but was unsuccessful in locating the appropriate person to accept a security report.
On October 1, 2021, the Chinese supplier of the GPS tracker was contacted once more but declined to offer a security or engineering contact. The vendor was contacted again in November, but no response was received.
Finally, on January 14, 2022, BitSight informed the U.S. Department of Homeland Security of all the technical information pertaining to its discoveries and asked them to communicate with the vendor through their channels.
The vendor hasn’t released a fix, thus the MiCODUS MV720 GPS tracker is still susceptible to the aforementioned issues.
Therefore, it is advised that users either disable these devices right away until a remedy is available or switch to GPS trackers that are. It would be extremely unsafe to use them going forward, especially in light of this open disclosure.