Unpatched security flaws in a GPS tracking system produced in China could have dire, “life threatening” consequences, according to the researchers who discovered them. In short: hackers could track your car in real-time and even disable it while it’s still moving, the research suggests.
The MiCODUS MV720 GPS tracking device, manufactured by the Shenzhen-based firm of the same name, has a total of six software vulnerabilities that could cause massive trouble for a driver if exploited. Probably the worst vulnerability of the bunch (tracked as CVE-2022-2107) is a hardcoded password that is used by all MiCODUS GPS trackers. Cybercriminals who manage to get ahold of this password can log into the company’s web server remotely and send commands to the GPS device via SMS. Through this method, researchers claim a hacker could commandeer the device, access “location information, routes, geofences, track locations in real-time,” disarm vehicle alarms, and even cut off the flow of gas to the car’s engine while it’s still moving.
“As of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities,” CISA’s announcement about the vulnerability reads. “CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities,” it continues, before providing a list of recommendations.
Unfortunately, MiCODUS hasn’t provided any software patches yet. And it’s not totally clear if they’re going to. We reached out to the company with multiple requests for comment and will update this story if they respond.
Though you can easily buy these devices for about $20 from major online retailers like Amazon, Ebay, and Alibaba, it’s not totally clear how widely used they are in the U.S. BitSight writes that MiCODUS has an “install base of 1.5 million devices across 420,000 customers,” and shows that, when it comes to North America, the tracking devices are most widely used in Mexico, Costa Rica, and El Salvador.
“The exploitation of these vulnerabilities could have disastrous and even life-threatening implications,” BitSight researchers write. Indeed, they make the possibilities sound pretty damn bad:
“...an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways. Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.”
Yeah, none of that sounds particularly good, so I’m sure you’d love to know how to fix these flaws—should they affect you.