Unpatched flaws in popular GPS devices could allow attackers to disrupt and track vehicles, security researchers have warned. Security company BitSight described six ‘severe’ vulnerabilities in the MiCODUS MV720 GPS tracker, a popular device designed for vehicle fleet management and theft protection.
The BitSight research came alongside a warning from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which has assigned CVE references for five of the discovered vulnerabilities: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150 and CVE-2022-33944.
The MV720 is a hardwired GPS tracker, allowing for external, physical control of the device, the researchers said, adding that the exploitation of the vulnerabilities could have “disastrous and even life-threatening implications.”
BitSight said it has made repeated attempts to contact MiCODUS about the vulnerabilities and eventually shared its research with CISA. CISA’s efforts to engage with the vendor have also been unsuccessful.
Among the threats posed by the unpatched devices, BitSight described how an attacker could exploit some of the vulnerabilities to cut fuel to a fleet of commercial or emergency vehicles.
In another example, researchers explained how an adversary could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways. “There are many possible scenarios which could result in loss of life, property damage, privacy intrusions and threaten national security,” BitSight researchers said.
According to MiCODUS, 1.5 million of its GPS tracking devices are in use today. BitSight discovered MiCODUS devices used in 169 countries by organizations including government agencies, military and law enforcement, as well as businesses in industries such as aerospace, energy, engineering, manufacturing and shipping.
Organizations and individuals using MV720 devices in their vehicles are at risk, BitSight said. “Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.”
There is nothing “novel or unique” about the vulnerabilities, said Kev Breen, director of cyber threat research at Immersive Labs. “Unfortunately, we see the same types of vulnerabilities on other internet of things and operational technology devices – hard-coded credentials, cross-site scripting vulnerabilities and authentication bypass flaws are all common.”
While the researchers recommend disabling the unit until a fix is available, it “will take a long time to be produced, if ever,” said Steve Gyurindak, chief technical officer, network and operational technology at Armis. “Onboard vehicle system isolation – aka network segmentation – of critical systems with proper security controls would help prevent a catastrophic impact.”
Infosecurity Magazine has approached MiCODUS for a comment on the vulnerabilities discovered by BitSight.