Critical flaws in GPS tracker enable “disastrous” and “life-threatening” hacks

A protection agency and the US governing administration are advising the public to quickly prevent working with a well known GPS monitoring product or to at least limit exposure to it, citing a host of vulnerabilities that make it doable for hackers to remotely disable autos although they are relocating, keep track of location histories, disarm alarms, and lower off fuel.

An assessment from stability organization BitSight discovered six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is commonly obtainable. The researchers who performed the assessment think the similar important vulnerabilities are current in other Micodus tracker products. The China-primarily based manufacturer says 1.5 million of its monitoring gadgets are deployed across 420,000 prospects. BitSight uncovered the product in use in 169 nations, with buyers like governments, militaries, legislation enforcement agencies, and aerospace, shipping and delivery, and production firms.

BitSight learned what it said had been six “severe” vulnerabilities in the gadget that make it possible for for a host of doable assaults. One particular flaw is the use of unencrypted HTTP communications that helps make it probable for distant hackers to perform adversary-in-the-center assaults that intercept or transform requests sent amongst the mobile application and supporting servers. Other vulnerabilities incorporate a flawed authentication mechanism in the mobile app that can make it possible for attackers to accessibility the hardcoded vital for locking down the trackers and the ability to use a personalized IP deal with that will make it feasible for hackers to observe and handle all communications to and from the gadget.

The protection organization stated it initially contacted Micodus in September to notify enterprise officials of the vulnerabilities. BitSight and CISA finally went community with the results on Tuesday right after attempting for months to privately have interaction with the manufacturer. As of the time of producing, all of the vulnerabilities remain unpatched and unmitigated.

“BitSight recommends that men and women and organizations now making use of MiCODUS MV720 GPS tracking products disable these devices until eventually a fix is manufactured available,” researchers wrote. “Organizations making use of any MiCODUS GPS tracker, no matter of the design, must be alerted to insecurity about its process architecture, which may perhaps put any device at danger.”

The US Cybersecurity and Infrastructure Safety Administration is also warning about the threats posed by the essential stability bugs.

“Successful exploitation of these vulnerabilities could let an attacker control more than any MV720 GPS tracker, granting obtain to locale, routes, gasoline cutoff instructions, and the disarming of a variety of attributes (e.g., alarms),” agency officers wrote.

The vulnerabilities involve a single tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who receive this passcode can use it to log in to the web server, impersonate the respectable person, and ship commands to the tracker via SMS communications that appear to occur from the GPS user’s cell amount. With this control, hackers can:

• Obtain comprehensive regulate of any GPS tracker
• Access area facts, routes, geofences, and observe locations in authentic time
• Slice off fuel to motor vehicles
• Disarm alarms and other functions

A separate vulnerability, CVE-2022-2141, potential customers to a broken authentication state in the protocol the Micodus server and the GPS tracker use to communicate. Other vulnerabilities consist of a hardcoded password utilized by the Micodus server, a mirrored cross-internet site scripting error in the Web server, and an insecure direct object reference in the World-wide-web server. The other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.

“The exploitation of these vulnerabilities could have disastrous and even existence-threatening implications,” BitSight researchers wrote. “For illustration, an attacker could exploit some of the vulnerabilities to slash gasoline to an full fleet of business or unexpected emergency vehicles. Or, the attacker could leverage GPS data to watch and abruptly cease vehicles on perilous highways. Attackers could opt for to surreptitiously keep track of individuals or demand ransom payments to return disabled autos to performing problem. There are a lot of probable eventualities which could end result in loss of lifetime, home hurt, privateness intrusions, and threaten nationwide safety.”

Makes an attempt to get to Micodus for comment have been unsuccessful.

The BitSight warnings are critical. Everyone utilizing just one of these devices need to flip it off straight away, if achievable, and consult with a skilled security specialist in advance of employing it again.