GPS Tracker Made in China Conduit for Vehicle Hacking6 Vulnerabilities Detected With No Available Patch
Severe vulnerabilities in a popular GPS tracking device made in China could allow hackers to remotely surveil vehicles' locations and shut down their engines, say security researchers in a warning echoed by the U.S. government.
Cybersecurity firm BitSight says it uncovered six vulnerabilities in a hard-wired GPS tracker made by MiCODUS. Boston-based BitSight estimates there are 1.5 million active tracking devices made by the Shenzen-based manufacturer deployed across the globe that are used by 420,000 different customers in more than 160 countries.
Organizations identified by BitSight as using trackers include a Fortune 50 energy company, a national military in South America, a nuclear power plant operator and a state on the east coast of the United States.
"If China can remotely control vehicles in the United States, we have a problem," said Richard Clarke, a former presidential adviser on cybersecurity.
The firm estimates Russia is the country with the greatest number of vulnerable devices and in the top three of countries with the most users.
The vulnerabilities include a hard-wired master password and vulnerability to SMS-based commands that can be executed without authentication. There are no patches, leading the U.S. Cybersecurity and Infrastructure Security Agency to advise that the trackers be isolated from internet connectivity. The agency is not aware of any active exploitation of the vulnerabilities.
MiCODUS is a maker of automotive tracking devices designed for vehicle fleet management and theft protection for consumers and organizations. It did not immediately respond to a request for comment.
The company's MV720 model - the subject of the BitSight and CISA advisory - supports all vehicles and has a function to cut off fuel supply, according to its website.
Malicious users could exploit the vulnerabilities to provoke a slew of bad situations, BitSight warns. They might cut fuel to an entire fleet of commercial or emergency vehicles. They might disable a vehicle at inconvenient locations and demand a ransom to turn it back on. They could abruptly stop vehicles on dangerous highways.
Researchers say that they attempted multiple times to connect with MiCODUS to share their findings, but the company did not respond. BitSight researchers also contacted CISA, hoping it would be "more successful in communicating with the vendor."
The agency, a part of the Department of Homeland Security, was also unable to engage with the vendor. "BitSight and DHS determined that the severity of these vulnerabilities and their potential impact on health and human safety require disclosure," the researchers say.
The sixth vulnerability did not get a CVE because it was a default password security weakness, for which DHS did not assign a unique CVE.
- CVE-2022-2107: This "critical" vulnerability has a CVSS score of 9.8. It is a hard-coded password on the API server that allows a remote attacker to directly send commands to the MV720 tracker and gain complete control to access location information, routes and geofences. A hacker could track locations in real time, cut off fuel to vehicles and disarm car alarms.
- CVE-2022-2141: This "critical" vulnerability is known as the broken authentication on API server/GPS tracker protocol and has a CVSS score of 9.8. It allows a way to directly send SMS commands to the GPS tracking device and enables an attacker "to achieve a man-in-the-middle position, controlling all traffic between the GPS tracker and the original server, and gaining total control of the GPS tracker."
- CVE-2022-2199: This "high" vulnerability known as reflected cross-site scripting has a CVSS score of 7.5. It allows an attacker to perform any action within the application the users can perform, view and modify any information, and initiate interactions with other application users, including malicious attacks that will appear to originate from the initial victim user.
- CVE-2022-34150: This vulnerability has a CVSS score of 7.1 and is known as insecure direct object reference, a type of access control vulnerability that occurs when an application uses user-supplied input to directly access objects, without verification. Attackers can access data from any device ID in the server database.
- CVE-2022-33944: This vulnerability has a CVSS score of 6.5 and is known as insecure direct object reference (web server). It allows a user to generate several types of reports via the MiCODUS web interface. It allows unauthenticated users to generate Excel reports about device activity, such as GPS-referenced locations detailing where a vehicle stopped and for how long.