Researchers have found quite a few zero-day bugs within the MiCODUS GPS tracker, threatening automobile safety. US CISA confirms no availability of patches, for now, and are urging customers to stay cautious.
GPS Tracker Zero-Day Bugs
In accordance with a current advisory from US CISA, the zero-day vulnerabilities in MiCODUS GPS tracker danger automobile safety. As elaborated, exploiting the flaw permits an attacker to take management of the goal GPS tracker. In flip, it empowers the attacker to entry location information, routes, gas cutoff instructions, and meddle with functionalities like alarms.
Particularly, these vulnerabilities caught the eye of safety researchers from BitSight, who’ve shared the main points of their research in a report.
As defined, the group noticed not less than six completely different zero-day bugs within the MiCODUS MV720 GPS tracker. It’s a generally used hard-wired tracker for automobile safety. It provides quite a few companies to the customers, resembling GPS monitoring, geofencing, distant management, and gas cutoff. Given the crucial nature of those functionalities, any cyberattacks involving this tracker immediately compromise the goal automobile’s safety.
Relating to the vulnerabilities, the researchers discovered the next six bugs.
- CVE-2022-2107 (CVSS 9.8): a crucial severity vulnerability that existed resulting from a hard-coded grasp password. An attacker could exploit the flaw to immediately talk with the tracker by way of SMS on behalf of the tracker proprietor.
- CVE-2022-2141 (CVSS 9.8): an adversary might execute SMS-based instructions on the GPS tracker resulting from improper authentication.
- CVE-2022-2199 (CVSS 7.5): a high-severity mirrored XSS vulnerability existed within the tracker’s net server that an adversary could exploit by tricking the goal person into making a request. Exploiting this bug might give the attacker full management of the tracker.
- CVE-2022-34150 (CVSS 7.1): a high-severity IDOR existed on the net server endpoint and parameter gadget IDs, accepting arbitrary unauthenticated gadget IDs.
- CVE-2022-33944 (CVSS 6.5): a medium severity IDOR on the net server affecting endpoint and POST parameter gadget ID, accepting arbitrary gadget IDs.
What Subsequent?
For now, no official patches exist for the bugs. BitSight researchers confirmed to have notified the distributors. However upon receiving no response, they contacted the CISA to expedite the matter. Nonetheless, the distributors reportedly didn’t reply to the CISA both, compelling a public disclosure.
Thus, within the absence of official patches, CISA urges customers to stay cautious, reduce community publicity, defend the management system networks and units behind firewalls, and use VPNs when establishing a distant connection. Furthermore, additionally they warn customers to remain cautious of social engineering assaults.