Severe vulnerabilities in vehicle GPS trackers affect critical infrastructure sector, BitSight discloses
BitSight has identified six severe vulnerabilities in the MiCODUS MV720 GPS tracker designed for vehicle fleet management and theft protection for consumers and organizations. Exploiting these vulnerabilities could have disastrous and even life-threatening implications for the consumers, companies, government agencies, and law enforcement sectors that deploy these devices.
The Boston, Massachusetts-based company shared its research with the Cybersecurity and Infrastructure Security Agency (CISA) when its vulnerability disclosure efforts to MiCODUS were disregarded. As a result, BitSight and CISA determined that these vulnerabilities require disclosure. Such action provides organizations and users of this device with the information they need to protect themselves proactively.
On Tuesday, CISA collaborated with BitSight to issue a public advisory detailing the notable Common Vulnerabilities and Exposures (CVEs) that were discovered: CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944. Deployed globally across the critical infrastructure sector, including across transportation systems, government facilities, financial services, and critical manufacturing installations, the advisory said that “as of July 18th, 2022, MiCODUS has not provided updates or patches to mitigate these vulnerabilities. CISA will update the corresponding ICSA to reflect any patches, updates, or mitigation information provided by MiCODUS in the future.”
“BitSight’s research was conducted with the sole purpose of assessing the security of the MV720 GPS tracker and to determine whether an attacker could access a user’s GPS position. Although the results surpassed the proposed initial goal, this report does not represent a full security audit of the MiCODUS ecosystem,” according to the research report. “However, we believe other models may be vulnerable due to security flaws in the MiCODUS architecture.”
MiCODUS states there are 1.5 million of their GPS tracking devices in use today by individual consumers and organizations, the BitSight report said. “Organizations and individuals using MV720 devices in their vehicles are at risk. Leveraging our proprietary data sets, BitSight discovered MiCODUS devices used in 169 countries by organizations, including government agencies, military, and law enforcement, as well as businesses spanning a variety of sectors and industries, including aerospace, energy, engineering, manufacturing, shipping, and more,” it added.
Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disabling any MiCODUS MV720 GPS trackers until a fix is made available, the report said.
Providing a continental breakdown, BitSight said that each continent has a different story. In North America, Mexico claims both the greatest number of users and devices; the same situation is revealed in Asia with the Russian Federation. Ukraine has the largest number of MiCODUS devices and ranks third in terms of users in Europe. In South America, Chile claims the greatest number of devices while Brazil claims the greatest number of users.
Examining global sector usage, BitSight identified differences by continent. For example, North American organizations are in the manufacturing sector, while those in South America tend to be government institutions. MiCODUS users in Europe belong to a diverse group of sectors, ranging from finance to energy. Global authorities should consider these geographic differences in sector usage to understand the potential ramifications of an attack exploiting vulnerabilities in MiCODUS devices.
MiCODUS is a Shenzhen, China-based manufacturer and supplier of automotive electronics and accessories, with an installed base of 1.5 million devices across 420,000 customers, 500 patents for its technologies, and a staff of over 300 professional engineers and 1,000 employees. The MiCODUS MV720 automotive tracking device is a hardwired GPS tracker that offers anti-theft, fuel cut-off, remote control, and geofencing capabilities.
“The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed,” Stephen Harvey, BitSight CEO, said in a media statement. “Our research highlights why it is critical for organizations to consider Internet of Things (IoT) devices in cyber resilience efforts. Implementing Internet-connected devices like the MiCODUS GPS trackers can expand an organization’s attack surface and expose individual consumers to new risks. Understanding how IoT and other technologies can increase the potential to disrupt business continuity, damage a firm’s reputation, and threaten human safety should be considered essential.”
Some of the more severe attack scenarios at risk upon the potential exploitation of these vulnerabilities earned a CVSS score as high as 9.8. This covers remotely cutting off the fuel line of a vehicle in motion and gaining access to vehicle location information, user routes, geofences, and real-time location tracking for surveillance purposes. It also can monitor and control all communications to and from the GPS tracker, including intentionally issuing incorrect vehicle location information to the GPS server.
“The vulnerabilities we discovered affecting the MiCODUS MV720 would allow for many possible attack scenarios where a bad actor could easily gain complete control over any GPS tracker of this type,” Pedro Umbelino, principal security researcher at BitSight, said. “Unfortunately, these vulnerabilities are not difficult to exploit.
For example, “we discovered that the web interface and mobile app share the same default password, and the GPS tracker has commands that will work even without a password,” according to Umbelino. “Basic flaws in this vendor’s overall system architecture raise significant questions about the vulnerability of other models.”
Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes, and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks.
“Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues,” BitSight said. “With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem. BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk,” it added.
Related
