[German]Security reasearchers have discovered six serious serioud vulnerabilities in the MV720 GPS trackers from MiCODUS, which are frequently used in vehicles. Security researchers have managed to hack the trackers so that the vehicles' location data could be monitored by third parties. And the attackers would even be able to stop the vehicles remotely. The manufacturer was notified, but would not fix the problem. The US CISA warns against the devices – users are advised to remove them because of the security risks.
Advertising
MiCODUS and the MV720 GPS tracker
MiCODUS is a company based in Shenzhen, Guangdong, China. The manufacturer specializes in the production of automotive electronics and accessories including GPS trackers. To date, 1.5 million GPS tracking devices are said to be in use by 420,000 customers (including governments, military, law enforcement agencies and enterprises). The MV720 GPS tracker is an older model that is installed in vehicles, boats or other equipment (construction equipment), etc. for monitoring purposes. The MiCODUS MV720 offers anti-theft, fuel shut-off, remote control and geofencing.
Above photo shows the tracker that can be installed in the vehicle. It monitors the vehicle's position via GPS signal and the unit can be controlled via smartphone. If the vehicle is stolen, or if it leaves an area defined by geofencing, the gasoline supply can be cut off, thus stopping the vehicle. The MV720 GPS tracker is offered on Alibaba, eBay, Amazon, etc. for small money – I have seen follow-up models for 20 to 25 US Dollars.
According to the above tweet, this tracker is very commonly used in Europe, with vehicles from Eastern Europe in particular being equipped with it. It seems to be less common in North America and Canada. .
Advertising
6 vulnerabilities that US-CISA warns about
However, security researchers at bitsight.com have encountered six bold vulnerabilities (CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944) in their analysis of the MiCODUS GPS tracker MV720, ranging from hard-coded credentials to faulty authentication to ways to bypass authentication when accessing it via an app. BitSight security researchers contacted MiCODUS in September 2021 to report the vulnerabilities. However, MiCODUS has done nothing to address these vulnerabilities via update.
After BitSight's attempts to contact MiCODUS proved fruitless, the security researchers contacted the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and published the document Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720). There, the vulnerabilities are described in detail.
At the same time, CISA issued a security alert icsa-22-200-01 as of July 19, 2022, and this notice with a link to this press release from BitSight. Owners of vehicles that have this tracker installed should remove the MV720 as soon as possible and replace it with other GPS trackers that are secure, if necessary. (via Techchrunch)
Advertising