Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles
(Image: Brian Stalter via Unsplash/Illustration: The Record)
Andrea Peterson July 19, 2022

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

Andrea Peterson

July 19, 2022

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

Flaws discovered in a GPS device used in fleet management could allow attackers to remotely disrupt operations and surveil vehicle movements, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and security firm BitSight warned Tuesday.

BitSight reported it discovered six flaws in the Chinese supplier MiCODUS’s MV720 device, which is designed to be hardwired into vehicles. According to advertisements on MiCODUS’s web site, the device allows vehicles to be tracked in real-time via text messaging and an app. It also includes a remote shutdown capability that relies on disabling the vehicle’s fuel circuit. 

The flaws disclosed by BitSight and CISA include authentication issues that could allow such features to be hijacked — potentially putting drivers in danger and disrupting supply chains.

“The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed,” BitSight CEO Stephen Harvey said in a press release. “Implementing Internet-connected devices like the MiCODUS GPS trackers can expand an organization’s attack surface and expose individual consumers to new risks.”

BitSight said the security firm and CISA “determined that these vulnerabilities” required disclosure after its outreach to MiCODUS ​was ​”disregarded.” CISA reported no patches or updates were available to fix the issues. Two of the flaws — CVE-2022-2107 and CVE-2022-2141 — were assigned a CVSS score of 9.8, signifying a critical threat.

MiCODUS did not immediately respond to The Record’s request for comment on the disclosures. 

BitSight’s report involved the MV720 device — the most basic model, which retails for roughly $20 — but researchers they believe other devices from the manufacturer may be vulnerable similar issues reflected in the company’s architecture. 

MiCODUS devices appear to be deployed around the world. The manufacturer’s website describes its platform as a “secure, open and scalable platform” available in more than thirty languages and connected to more than a million devices. 

BitSight reported observing “2,354,603 connections to the MiCODUS server across 169 countries,” with apparent use by “a wide range of organizations, including a Fortune 50 energy company, a national military in South America, a national government in Western Europe, a national law enforcement organization in Western Europe, and a nuclear power plant operator.”

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.