It was discovered that there is a 'risk of a car being tracked or the engine being turned off remotely' in a GPS tracker for vehicles made in China.



In recent years, GPS-based trackers such as Apple's '

AirTag ' have become widespread, but stalking damage that abuses GPS trackers has also become a problem. According to a new survey by security company BigSight and the United States Cybersecurity and Infrastructure Security Agency (CISA) , a Chinese-made GPS tracker for vehicles used around the world 'is tracked by someone or remotely controlled. It became clear that there was a 'risk of turning off the engine'.

MiCODUS MV720 GPS tracker | CISA
https://www.cisa.gov/uscert/ics/advisories/icsa-22-200-01



BitSight Discovers Critical Vulnerabilities in GPS Tracker
https://www.bitsight.com/blog/bitsight-discovers-critical-vulnerabilities-widely-used-vehicle-gps-tracker

Attackers can surveil, disrupt vehicles outfitted with popular GPS tracker, CISA warns
https://www.cyberscoop.com/vulnerabilities-gps-tracker-cisa-warns/

Security flaws in a popular GPS tracker are exposing a million vehicle locations | TechCrunch
https://techcrunch.com/2022/07/19/micodus-gps-tracker-exposing-vehicle-locations/

GPS trackers for vehicles are used to check the current location, traveling speed, travel route, etc. of vehicles owned by companies and organizations, and to detect signs of vehicle theft. Some of them are equipped with a 'remotely cut-off function for fuel' in case they are stolen. It is possible to check the appearance of actually using the GPS tracker to shut off the fuel by remote control and forcibly stopping the engine in videos posted on YouTube and SNS.

(1) Fuel cut off gps tracker --YouTube


BigSight and CISA have newly reported that there are a total of six vulnerabilities in GPS trackers for vehicles used by businesses, government agencies, individuals, etc. around the world. This time, the vulnerability was found in a GPS tracker called ' MiCODUS MV720 ' manufactured by MiCODUS, a manufacturer based in Shenzhen, China. MiCODUS MV720 can be purchased from online shopping sites such as AliExpress and Ebay, and anyone can easily get it for less than 3000 yen per piece.



The vulnerabilities found are present in the GPS Tracker itself and in the web dashboard for vehicle tracking, with the most serious flaw 'CVE-2022-2107' being a hard-coded master password vulnerability. The MiCODUS MV720 has a master password embedded directly in the Android app code that allows full control of the GPS tracker, access to the vehicle's current location and past travel history, and remote fuel cutoff to the vehicle. Anyone can find the master password by digging into the code.

It also reveals that the default password is set to '123456' and that anyone can access with this password if the user has not changed the password for the device. When BigSight investigated 1000 samples, 95% of them said that the password was not changed and it was accessible with the default password. Other vulnerabilities have been discovered that allow a user logged in to the dashboard to access data from another GPS tracker, and a vulnerability that allows a user to send SMS commands without a password.

Exploitation of these vulnerabilities could allow location information of business people, politicians, etc. to be tracked without consent and used for criminal activity in addition to invasion of privacy. In addition, attackers can remotely perform fuel cutoffs to demand a fare to move a vehicle, immobilize commercial or emergency vehicles to delay supply chains or police response, or on highways. BigSight warns that there is a risk of stopping in dangerous places such as. BitSight's chief security researcher, Pedro Umbelino, suggests that similar vulnerabilities may exist in MiCODUS GPS trackers other than the MiCODUS MV720.

According to BigSight, MiCODUS GPS trackers are one of the world's leading energy companies, aerospace companies, technology companies, manufacturers, shipping companies, US state authorities, central government and law enforcement agencies in some European countries, South America and East Europe. It has been deployed to the operators of the military and nuclear power plants of Japan, and at the time of writing the article, it is installed in more than 1.5 million vehicles in 169 countries around the world. Among them, Ukraine has the most MiCODUS GPS trackers in all of Europe, and it is said that it is also used in the national transportation system and major banks in Kieu.

This is a map released by BigSight that shows the location of MiCODUS GPS trackers that exist all over the world. In addition to being particularly abundant in Europe, it can be seen that it is distributed in countries around the world such as Africa, South America, Oceania, the Middle East, and Asia.



Big Sight contacted MiCODUS in September 2021 about a series of vulnerabilities, but no attempt was made to fix the vulnerabilities before the report was published. Due to the severity of the vulnerability and the lack of patches, BitSight and CISA warn users to remove the device as soon as possible to mitigate the risk.

'It's a problem if China can remotely control American vehicles,' said Richard Clark, a national security expert and former presidential adviser on cybersecurity. Mobile devices are becoming more widespread and society is more connected. It's easy to overlook the fact that such GPS trackers significantly increase cyberrisk if they aren't built with security in mind. '

Related Posts:

in Hardware,   Ride,   Video,   Security, Posted by log1h_ik