Flaws in a popular GPS tracker could allow hackers to track or stop vehicles, say security researchers

Security researchers warn that vulnerabilities could have 'disastrous consequences'.
Written by Danny Palmer, Senior Writer
Image: Getty/Marko Geber

Critical security vulnerabilities in a popular GPS tracker used to track vehicle fleets by critical infrastructure, governments and emergency services around the world could be used to remotely track, stop and even take control of vehicles, according to security researchers

Six flaws in MiCODUS MV720 vehicle GPS trackers – including the use of simple default passwords – have been detailed by cybersecurity researchers at BitSight.

They warn that the severity of the vulnerabilities and the potential for disrupting vehicles on the road means that MiCODUS MV720 GPS trackers shouldn't be used until a security update is made available. It's believed there are 1.5 million MiCODUS devices in use across 169 countries.

SEE: A winning strategy for cybersecurity (ZDNet special report)

CISA has also issued an alert about the vulnerabilities, warning they could impact access to vehicle fuel supplies and vehicle control, and allow location surveillance of vehicles in which the device is installed. 

Despite the severity of the vulnerabilities and the relative ease in which they could be exploited, a security patch isn't available. BitSight researchers say both they and CISA have made repeated attempts to contact MiCODUS. ZDNet has also attempted to contact MiCODUS, but hasn't received a reply at the time of publication. 

According to BitSight, the vulnerabilities could allow attackers to disrupt emergency vehicles, disrupt supply chains, enable the unlawful tracking of civilians, and politicians and business leaders, as well as leading to national security implications due to the use of the trackers among the militaries of several countries. 

The vulnerabilities include two that are classed as critical with CVSS (Common Vulnerability Scoring System) scores of 9.8. The first of these is CVE-2022-2107, a hardcoded master password vulnerability that allows a remote attacker to login to the web server, impersonate the user, and directly send SMS commands to the GPS tracker as if they were the real user. 

The second is CVE-2022-2141, an improper authentication vulnerability that allows remote attackers to execute commands using SMS without any authentication, allowing the attacker to gain control of vehicles. 

SEE: Don't let your cloud cybersecurity choices leave the door open for hackers

The GPS devices are also shipped with a default password – and no requirement to change it. BitSight says their analysis shows that many users haven't changed this most simple of passwords, leaving the GPS trackers vulnerable to being accessed remotely. 

Other flaws include a cross-scripting vulnerability (CVE-2022-2199) that could allow an attacker to gain control by tricking a user into making a request, and an authorisation bypass vulnerability (CVE-2022-34150), which allows attackers to access data from any device ID in the server database – enabling them to gather personal information. 

Researchers have also detailed a web server flaw (CVE-2022-33944), which allows unauthenticated users to generate Excel reports about device activity such as GPS-referenced locations detailing where a vehicle stopped and for how long. 

According to BitSight, several major government organisations and other large companies are using MiCODUS GPS trackers, including a national government and a national law enforcement agency in Western Europe, a state-owned Ukrainian transportation system and a leading bank in Kyiv, a military in South America, a nuclear powerplant operator, several Fortune 50 companies, and a state on the east coast of the United States. 

"The vulnerabilities can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed," said BitSight CEO Stephen Harvey. 

"Understanding how IoT and other technologies can increase the potential to disrupt business continuity, damage a firm's reputation, and threaten human safety should be considered essential," he added.  


Editorial standards