Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles

A raft of zero-day flaws found in a popular automotive GPS tracking device “could have disastrous and even life-threatening implications”, security researchers warn.

Six as-yet-unpatched vulnerabilities unearthed by BitSight researcher Pedro Umbelino affect the API server, GPS tracker protocol, and web server of the MV720 GPS tracker, which was developed by China-based company MiCODUS.

Successful abuse of the bugs could see attackers “cut fuel to an entire fleet of commercial or emergency vehicles”, use GPS data “to monitor and abruptly stop vehicles on dangerous highways”, or “track individuals or demand ransom payments to return disabled vehicles to working condition”, according to research (PDF) from BitSight.

Huge attack surface

According to the cybersecurity firm, the MiCODUS MV720 provides theft protection and fleet management functionality to customers in at least in 169 countries, including a Fortune 50 energy company, a national military in South America, a federal government in Western Europe, a national law enforcement agency in Western Europe, and a nuclear power plant operator.

Alarmingly, BitSight said Umbelino also uncovered security issues associated with the firm’s cloud-based device management interface for the web, iOS, and Android, a finding which means other MiCODUS GPS tracking models could also be insecure. If MiCODUS’ own figures are accurate, that equates to 1.5 million potentially vulnerable devices worldwide.

With security patches yet to materialize, BitSight has urged users to “immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available”.

security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) said that “no known public exploits specifically target these vulnerabilities” in the MV720 GPS tracker.

Authentication issues

Two critical authentication issues in the API server, both notching a CVSS score of 9.8, enable “an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number”.

One bug relates to a hard-coded master password (CVE-2022-2107) and the other, resulting from improper authentication (CVE-2022-2141), potentially enables manipulator-in-the-middle (MitM) attacks.

The devices and the mobile interface are preconfigured with the default password ‘123456’, which BitSight classed as a high severity (CVSS 8.1) issue, although CISA declined to assign a CVE. “There is no mandatory rule to change the password nor is there any claiming process”, according to BitSight, which found that 94.5% of 1,000 responding device IDs still had the default password.

With the device ID easily predictable and the server seemingly lacking password brute force mitigations such as rate-limiting, attackers can easily access random GPS trackers.

A high severity (CVSS 7.5) reflected cross-site scripting (XSS) vulnerability affecting the main web server, meanwhile, could enable attackers to “fully compromise the device”.

The main web server also contains a pair of authenticated insecure direct object reference vulnerabilities, tracked as CVE-2022-34150 (CVSS 7.1) and CVE-2022-33944 (CVSS 6.5).

“Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features” is as potentially dangerous as it is useful, suggested BitSight.

“Unfortunately, the MiCODUS MV720 lacks basic security protections”, and with only “limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem”.

Advertisement. Scroll to continue reading.

BitSight said it first disclosed the flaws to the vendor on September 9, 2021, and after responding initially, MiCODUS failed to reply to multiple subsequent requests for updates, both from BitSight and CISA. BitSight published its findings yesterday (July 19).

Source: https://portswigger.net/daily-swig/zero-day-flaws-in-gps-tracker-pose-surveillance-fuel-cut-off-risks-to-vehicles

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Researchers from the Technical University of Berlin have developed a method to jailbreak the AMD-based infotainment systems used in all recent Tesla car models...

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO