Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles
Flaws discovered in a GPS device used in fleet management could allow attackers to remotely disrupt operations and surveil vehicle movements, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and security firm BitSight warned Tuesday.
BitSight reported it discovered six flaws in the Chinese supplier MiCODUS’s MV720 device, which is designed to be hardwired into vehicles. According to advertisements on MiCODUS’s web site, the device allows vehicles to be tracked in real-time via text messaging and an app. It also includes a remote shutdown capability that relies on disabling the vehicle’s fuel circuit.
The flaws disclosed by BitSight and CISA include authentication issues that could allow such features to be hijacked — potentially putting drivers in danger and disrupting supply chains.
“The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed,” BitSight CEO Stephen Harvey said in a press release. “Implementing Internet-connected devices like the MiCODUS GPS trackers can expand an organization’s attack surface and expose individual consumers to new risks.”
BitSight said the security firm and CISA “determined that these vulnerabilities” required disclosure after its outreach to MiCODUS was ”disregarded.” CISA reported no patches or updates were available to fix the issues. Two of the flaws — CVE-2022-2107 and CVE-2022-2141 — were assigned a CVSS score of 9.8, signifying a critical threat.
MiCODUS did not immediately respond to The Record’s request for comment on the disclosures.
BitSight’s report involved the MV720 device — the most basic model, which retails for roughly $20 — but researchers they believe other devices from the manufacturer may be vulnerable similar issues reflected in the company’s architecture.
MiCODUS devices appear to be deployed around the world. The manufacturer’s website describes its platform as a “secure, open and scalable platform” available in more than thirty languages and connected to more than a million devices.
BitSight reported observing “2,354,603 connections to the MiCODUS server across 169 countries,” with apparent use by “a wide range of organizations, including a Fortune 50 energy company, a national military in South America, a national government in Western Europe, a national law enforcement organization in Western Europe, and a nuclear power plant operator.”
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.