Security researchers have revealed a string of vulnerabilities in a massively popular GPS tracker that could be exploited to disable the vehicles of some of the most high-value organisations in the world.
The six “severe” vulnerabilities were discovered in the MiCODUS MV720 GPS tracker that researchers believe to be fitted in 1.5 million vehicles across 169 countries.
The affected vehicles are thought to be in use by the likes of Fortune 50 companies, militaries, governments, nuclear power operators, and law enforcement bodies.
The researchers at BitSight who discovered the security flaws said hackers could feasibly exploit them to stealthily track the vehicles and remotely disable entire fleets of vehicles.
Being able to track high-value vehicles could potentially lead to the tracking of government personnel and locating sensitive locations such as safehouses.
BitSight said potential exploits could also lead to the immobilisation of emergency services vehicles - subsequently leading to real-world harms - and stopping civilian vehicles on dangerous motorways, for example.
The GPS tracker is capable of monitoring real-time speed, locations, and historical routes, and can even remotely shut fuel supplies in the event of a theft, or disable features like alarms, the researchers said.
The MiCODUS MV720 is a Shenzhen, China-manufactured device and although the research was focused on this model, BitSight said other MiCODUS products may also be vulnerable to the same or similar exploits.
Typically sold for around $20 online, the MV720 tracker has been assigned CVE tracking numbers for five of the six vulnerabilities the researchers discovered.
The entire exploit chain has also been deemed so severe that CISA has published a dedicated security advisory and the CVSSv3 severity score is 9.8/10 due to it being remotely exploitable and requiring a low degree of complexity.
BitSight said that CISA has made repeated attempts to disclose the findings with MiCODUS but has been met with disregard from the company. The US cyber authority subsequently concluded that the flaws require public disclosure.
Vulnerability breakdown
Hard-coded password (API server) - CVE-2022-2107 - CVSSv3 score: 9.8 (critical)
This is one of the most serious vulnerabilities that allow hackers to conduct the most severe actions after exploiting the device such as disabling alarms and fuel supplies and tracking vehicles.
“Although the API server has an authentication mechanism, devices use a hard-coded master password allowing an attacker to log into the web server, impersonate the user, and directly send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number,” BitSight said.
Broken authentication (API server/GPS tracker protocol) - CVE-2022-2141 - CVSS 3.1 score: 9.8 (critical)
The second critical-rated vulnerability allows hackers to send commands to the device over SMS as if they were the device administrator.
This is because the tracker’s default password is set to 123456, as is the web interface and mobile app. Researchers said this should be changed but there is no prompt to do so from the manufacturer, and many installations are left unchanged from the default settings.
The full SMS commands list includes sending a Google Maps link to the device’s coordinates, changing the password, and resetting to factory defaults.
Default Password (API Server) - no CVE tracker - CVSS 3.1 score: 8.1 (high)
The one vulnerability BitSight wasn’t able to get a CVE tracker for was the fact that devices shipped with default passwords that didn't enforce a change from the user.
The researchers said this represents a “severe vulnerability” in itself, although unsecured default passwords are all too common in IoT devices.
The remaining vulnerabilities ranged in score between 6.5 (medium) to 7.5 (high). These were:
- CVE-2022-2199, CVSSv3 score: 7.5 (high): A cross-site scripting (XSS) vulnerability could allow an attacker to gain control by deceiving a user into making a request
- CVE-2022-34150, CVSSv3 score: 7.1 (high): The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification
- CVE-2022-33944, CVSSv3 score: 6.5 (medium): The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs
Risk of death
BitSight said the plausible risks to high-value individuals are myriad. Everyone from civilians to leading politicians could be tracked, threatening personal safety. Hackers could also use tracking data to inform burglaries of wealthy targets such as business leaders.
Hackers could also deploy ransomware to vehicles, demanding a ransom to restore it to working order. The same kind of attack could lead to supply chain issues for some businesses.
Introducing IBM Security QRadar XDR
A comprehensive open solution in a crowded and confusing space
Emergency services vehicles could be disabled, perhaps as a result of a ransomware attack, affecting the services’ ability to meet the demand of patients and real-world crime, for example.
There was a case in Germany in 2020 where a woman died while being transported to hospital by an ambulance which was disrupted by a ransomware infection en route.
At the time, it was believed to be the first known case of a cyber attack leading to a loss of life, but a police investigation later debunked the idea, saying the woman’s health was so poor she likely would have died anyway.
The risk to life remains, however, and especially with geopolitical relations between the US and China being as tense as they are, experts told BitSight that the idea of China being able to control US vehicles is “a problem”.
