The security firm and the US government are advising the public to immediately stop using the popular GPS tracking device, or at least minimize exposure to it, citing a variety of vulnerabilities that allow hackers to remotely disable cars while they are in motion. track location history, turn off alarms and turn off fuel.
An assessment by security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who conducted the evaluation believe that the same critical vulnerabilities are present in other models of Micodus trackers. The Chinese manufacturer says it has 1.5 million tracking devices deployed to 420,000 customers. BitSight found that the device is being used in 169 countries by customers including governments, military, law enforcement, aerospace, shipping and manufacturing companies.
BitSight found what it says are six “serious” vulnerabilities in the device that allow for many possible attacks. One drawback is the use of unencrypted HTTP connections, which allows remote hackers to conduct man-in-the-middle attacks that intercept or modify requests sent between the mobile app and back-end servers. Other vulnerabilities include a flawed mobile app authentication mechanism that could allow attackers to access a hard-coded key to block trackers, and the ability to use your own IP address, which allows hackers to monitor and control all connections, inbound and outbound. device.
The security firm said it first contacted Micodes in September to notify company officials of the vulnerabilities. BitSight and CISA finally made the findings public on Tuesday after months of trying to privately engage with the manufacturer. At the time of writing, all vulnerabilities remain unpatched and unpatched.
“BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable those devices until a fix is available,” the researchers wrote. “Organizations using any MiCODUS GPS tracker, regardless of model, should be warned about the insecurity of its system architecture, which can put any device at risk.”
The US Cybersecurity and Infrastructure Security Administration also warns of the risks associated with critical security bugs.
“Successfully exploiting these vulnerabilities could allow an attacker to control any MV720 GPS tracker, providing access to location, routes, fuel shutdown commands, and disabling various functions (such as alarms),” the agency wrote.
The vulnerabilities include one, tracked as CVE-2022-2107, a hardcoded password with a severity rating of 9.8 out of 10. Micodus trackers use it as a master password. Hackers who obtain this passcode can use it to log into a web server, impersonate a legitimate user, and send commands to the tracker via SMS messages that appear to be coming from the GPS user’s mobile number. With this control, hackers can:
• Take full control of any GPS tracker
• Access to location information, routes, geofencing and real-time location tracking.
• Shut off the fuel supply to vehicles
• Disable alarm and other functions
A separate vulnerability, CVE-2022-2141, results in an authentication state violation in the protocol that the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hard-coded password used by the Micodus server, a reflected cross-site scripting error on the web server, and an insecure direct object reference on the web server. Other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.
“Exploitation of these vulnerabilities can have catastrophic and even life-threatening consequences,” BitSight researchers write. “For example, an attacker could use some vulnerabilities to disable fuel for an entire fleet of commercial or emergency vehicles. Or an attacker could use GPS information to track and suddenly stop vehicles on dangerous highways. Attackers may covertly track people or demand a ransom to return malfunctioning vehicles to working order. There are many possible scenarios that could result in loss of life, damage to property, invasion of privacy, and endanger national security.”
Attempts to contact Micodes for comment have been unsuccessful.
BitSight warnings are important. Anyone using one of these devices should turn it off immediately if possible and consult a trained security professional before using it again.
#Critical #flaws #GPS #tracker #catastrophic #lifethreatening #hacks