A GNSS vehicle tracker is a device that can be equipped to automobiles and are used globally to monitor vehicle fleets, trucks, school buses, military vehicles, etc. and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, the GNSS trackers are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.

Most often when GNSS (GPS) hacking is mentioned we presuppose “GPS spoofing”, i.e., falsifying the coordinates and location of the GPS-navigator attacked, but during the last twelve month a Boston-based cybersecurity company, BitSight, found several severe security flaws in a well-known and popular GNSS vehicle tracker, the MV720 from MiCODUS, used in almost 170 different countries.

MiCODUS is a Chinese, Shenzhen-based electronics manufacturer and supplier, integrating with automotive electronics and automobile accessories with more than 1.5 million GNSS trackers in use of today across more than 420 000 customers worldwide, including companies with fleets of vehicles, law enforcement agencies, militaries and national governments.

BitSight says in its report that users should immediately disable the MV720 GPS tracker until a fix becomes available since the vulnerabilities are posing potential danger to highway safety, national security and supply chains, as MV720 was found to be used by, e.g., a Fortune 50 energy company and an aerospace company operator. The security flaws found could let attackers remotely hijack the device-equipped vehicles and cut off fuel to them and otherwise seizing control while they travel.

BitSight contacted MiCODUS three times between September 9, 2021, and January 14, 2022, but MiCODUS refused BitSight’s request to speak with its security or engineering teams. BitSight even claims to have shared its findings with MiCODUS, according to the norm under responsible vulnerability disclosure practices but was disregarded. BitSight then disclosed the vulnerabilities to CISA on January 14, 2022, which assessed that they are remotely exploitable and have a low attack complexity. CISA also contacted MiCODUS earlier this year but to no avail.

BitSight found six vulnerabilities in the MV720 with a CVSS score of as much as 9.8, indicating a severe risk of exploitation. For example, the device comes with a default password, “123456” which the device does not prompt the users to change. Further, a second obscure hard-coded password working for all devices was also found. Further security flaws in the software of the web server used to remotely manage the GPS devices were also found.

In a statement CISA has said that they are not aware of “any active exploitation” of the vulnerabilities, so far.

Future will tell whether there will be a patch from MiCODUS to fix the vulnerabilities or not. But, have in mind that patching regular software is kind of hard, and even harder for IoT devices.

Link to BitSights full report: https://www.bitsight.com/sites/default/files/2022-07/MiCODUS-GPS-Report-Final.pdf

Short News

Written by Joakim Rosell