Safety vulnerabilities in a preferred Chinese language-built GPS car tracker will be simply exploited to trace and remotely minimize the engines of at the least one million automobiles world wide, in accordance with new analysis. Worse, the corporate that makes the GPS trackers has made no effort to repair them.
Cybersecurity startup BitSight stated it discovered six vulnerabilities within the MV720, a hardwired GPS tracker constructed by Micodus, a Shenzhen,-based electronics maker, which claims greater than 1.5 million GPS trackers in use in the present day throughout greater than 420,000 clients worldwide, together with firms with fleets of automobiles, legislation enforcement businesses, militaries and nationwide governments. BitSight stated it additionally discovered the GPS trackers utilized by Fortune 50 firms and a nuclear energy plant operator.
However the safety flaws will be simply and remotely exploited to trace any car in real-time, entry previous routes, and minimize the engines of automobiles in movement.
Pedro Umbelino, principal safety researcher at BitSight who authored the report seen by DailyTech earlier than its publication, stated the vulnerabilities are “not tough to use,” and that the character of the issues leaves “vital questions concerning the vulnerability of different fashions,” suggesting the bugs might not be restricted to the one Micodus GPS tracker mannequin.
Given the severity of the bugs and that there aren’t any fixes, each BitSight and CISA, the U.S. authorities’s cybersecurity advisory company, warned car homeowners to take away the units as quickly as potential to mitigate the danger.
The six vulnerabilities range in severity and exploitability, however all however one rank as “excessive” severity or higher. Among the bugs are within the GPS tracker itself, whereas others are within the net dashboard that clients use to trace their car fleets.
Essentially the most extreme flaw is a hardcoded password that can be utilized to realize full management of any GPS tracker, entry to automobiles’ real-time location and previous routes, and remotely minimize off gas to automobiles. As a result of the password is embedded immediately into the code of the Android app, anybody can dig across the code and discover it.
A map with purple factors representing a MiCODUS consumer. Picture Credit: BitSight/equipped.
The analysis additionally discovered that the GPS tracker comes with a default password of “123456,” permitting anybody entry to GPS trackers that haven’t modified their machine’s password. BitSight discovered 95% of a pattern of 1,000 units it examined had been accessible with an unchanged default password, possible as a result of machine homeowners aren’t prompted to vary the machine’s password on setup.
Two of the remaining vulnerabilities, often called insecure direct object references — or IDORs — permit a logged-in consumer to entry information from a susceptible GPS tracker that didn’t belong to them, and generate spreadsheets containing machine exercise, corresponding to previous places and routes.
The researchers stated they discovered susceptible Micodus GPS trackers all around the world, with the very best focus of units in Ukraine, Russia, Uzbekistan, and Brazil, in addition to throughout Europe, together with Spain, Poland, Germany and France. Kevin Lengthy, a spokesperson for BitSight, advised DailyTech that it noticed a smaller proportion of units in the USA however that the determine is probably going “hundreds” of units.
BitSight CEO Stephen Harvey stated the vulnerabilities have the potential to end in “disastrous penalties” for affected car homeowners. The safety firm first contacted Micodus in September 2021, however no efforts had been made to repair the vulnerabilities forward of the report’s publication. Safety researchers sometimes give firms three months to repair vulnerabilities earlier than they’re made public, giving the builders time to remediate earlier than particulars of the vulnerabilities are printed.
Micodus didn’t reply to DailyTech’s request for remark despatched previous to publication.