Skip to content

CISAnalysis 22 July 2022

On 19 July 2020, CISA released an Industrial Control Systems (ICS) Advisory (ICSA-22-200-01) regarding the MiCODUS MV720 GPS tracker, a hidden design tracker that is wired directly to a vehicles power and oil pump. This device allows the interested party to remotely track a vehicle’s location and cut off the oil pump, disabling the vehicle. It can be installed and hidden in approximately two and a half minutes according to a video available on MiCODUS’ website.

BitSight, a cybersecurity ratings company, uncovered the critical vulnerabilities that led to CISA’s advisory. They also determined that these trackers are in use across 169 countries “by individual consumers, government agencies, militaries, law enforcement, and corporations.”

Out of the six vulnerabilities discovered, two have been deemed critical:

  • Hardcoded Password – CVE-2022-2107: Although the API server has an authentication mechanism, devices use a hardcoded master password allowing an attacker to log into the web server, impersonate the user, and directly send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
  • Broken Authentication – CVE-2022-2141: The API server provides a way to directly send SMS commands to the GPS tracking device as if those messages were coming from the administrator’s mobile device.

There are a number of troubling effects that could occur due to a successful exploitation of the found vulnerabilities. According to BitSight, individuals could be tracked unlawfully, vehicles could be disabled remotely, national militaries using the GPS tracker could themselves be monitored, and supply chains disrupted.

Because there is no fix available and MiCODUS has disregarded repeated attempts by BitSight and CISA to share information, all users are advised to immediately discontinue or disable any MiCODUS MV720 GPS trackers.

According to MiCODUS, approximately 1.5 million of its GPS trackers are in current use.

Given the exponential expansion of IoT, we can expect more vulnerabilities to be uncovered.

Sources:

Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720)

BitSight Discovers Critical Vulnerabilities in Widely Used Vehicle GPS Tracker

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

×