Security flaws in GPS trackers put global fleets at risk • The Register

A handful of vulnerabilities, some crucial, in MiCODUS GPS tracker equipment could allow for criminals to disrupt fleet operations and spy on routes, or even remotely manage or slash off gasoline to automobiles, according to CISA. And you will find no fixes for these security flaws.

Two of the bugs been given a 9.8 out of 10 CVSS severity ranking. They can be exploited to send commands to a tracker device to execute with no meaningful authentication the other folks involve some degree of remote exploitation.

“Prosperous exploitation of these vulnerabilities could let an attacker command over any MV720 GPS tracker, granting obtain to place, routes, gas cutoff commands, and the disarming of numerous characteristics (e.g., alarms),” the US government agency warned in an advisory posted Tuesday.

As of Monday, the gadget maker, based in China, experienced not delivered any updates or patches to fix the flaws, CISA added. The agency also advised fleet homeowners and operators take “defensive measures” to decrease risk.

This evidently involves ensuring, in which doable, that these GPS tracers are not obtainable from the world-wide-web or networks that miscreants can get to. And when distant management is expected, CISA recommends applying VPNs or other secure procedures to control access. That seems like generic CISA advice so most likely a serious workaround would be: halt utilizing the GPS gadgets completely.

Bitsight stability researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott found out the six vulnerabilities and described them to CISA just after hoping because September 2021 to share the results with MiCODUS. 

“Soon after reasonably exhausting all choices to achieve MiCODUS, BitSight and CISA established that these vulnerabilities warrant community disclosure,” according to a BitSight report [PDF] printed on Tuesday.

About 1.5 million people and organizations use the GPS trackers, the scientists reported. This spans 169 countries and contains govt agencies, army, law enforcement, aerospace, strength, engineering, manufacturing and delivery corporations, they additional.

“The exploitation of these vulnerabilities could have disastrous and even daily life-threatening implications,” the report authors claimed, incorporating:

For its study, the BitSight group employed the MV720 design, which it reported is the company’s least expensive style and design with gasoline lower-off operation. The product is a cellular-enabled tracker that makes use of a SIM card to transmit standing and area updates to supporting servers and receive SMS instructions.

Here is a rundown of the vulnerabilities:

CVE-2022-2107 is a tough-coded password vuln in the MiCODUS API server. It acquired a 9.8 CVSS score and lets a remote attacker to use a hardcoded learn password to log into the net server and mail SMS commands to a target’s GPS tracker. 

These would appear like they are coming from the GPS owner’s cell quantity, and could permit a miscreant to acquire regulate of any tracker, access and keep track of vehicle spot in serious time, slice off gas and disarm alarms or other options supplied by the gadget.

CVE-2022-2141, because of to broken authentication, also obtained a 9.8 CVSS score. This flaw could allow an attacker to ship SMS commands to the tracking machine without authentication.

A default password flaw, which is in-depth in BitSight’s report but was not assigned a CVE by CISA, nevertheless “represents a critical vulnerability,” in accordance to the protection vendor. There’s no obligatory rule that buyers transform the default password, which ships as “123456,” on the equipment, and this makes it rather effortless for criminals to guess or think a tracker’s password.

CVE-2022-2199, a cross-site scripting vulnerability, exists in the principal world-wide-web server and could let an attacker to absolutely compromise a device by tricking its person into creating a ask for — for example, by sending a malicious link in an e mail, tweet, or other information. It obtained a 7.5 CVSS ranking

The primary web server has an insecure immediate object reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter device IDs. This signifies they take arbitrary system IDs with no further more verification.

“In this circumstance, it is doable to access data from any Unit ID in the server databases, regardless of the logged-in consumer. More details able of escalating an attack could be readily available, these kinds of as license plate figures, SIM card quantities, mobile quantities,” BitSight discussed. It been given a 7.1 CVSS ranking.

And eventually, CVE-2022-33944 is another insecure immediate object reference vuln on the principal world-wide-web server. This flaw, on the endpoint and Article parameter “Product ID,” accepts arbitrary system IDs, and been given a severity score of 6.5.

“BitSight recommends that men and women and businesses presently utilizing MiCODUS MV720 GPS tracking units disable these equipment till a repair is made obtainable,” the report concluded. “Corporations applying any MiCODUS GPS tracker, regardless of the product, ought to be alerted to insecurity regarding its system architecture, which may perhaps spot any system at danger.” ®