A raft of zero-day flaws found in a popular automotive GPS tracking device “could have disastrous and even life-threatening implications”, security researchers warn.
Six as-yet-unpatched vulnerabilities unearthed by BitSight researcher Pedro Umbelino affect the API server, GPS tracker protocol, and web server of the MV720 GPS tracker, which was developed by China-based company MiCODUS.
Successful abuse of the bugs could see attackers “cut fuel to an entire fleet of commercial or emergency vehicles”, use GPS data “to monitor and abruptly stop vehicles on dangerous highways”, or “track individuals or demand ransom payments to return disabled vehicles to working condition”, according to research (PDF) from BitSight.
Huge attack surface
According to the cybersecurity firm, the MiCODUS MV720 provides theft protection and fleet management functionality to customers in at least in 169 countries, including a Fortune 50 energy company, a national military in South America, a federal government in Western Europe, a national law enforcement agency in Western Europe, and a nuclear power plant operator.
Alarmingly, BitSight said Umbelino also uncovered security issues associated with the firm’s cloud-based device management interface for the web, iOS, and Android, a finding which means other MiCODUS GPS tracking models could also be insecure. If MiCODUS’ own figures are accurate, that equates to 1.5 million potentially vulnerable devices worldwide.
With security patches yet to materialize, BitSight has urged users to “immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available”.
A security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) said that “no known public exploits specifically target these vulnerabilities” in the MV720 GPS tracker.
Authentication issues
Two critical authentication issues in the API server, both notching a CVSS score of 9.8, enable “an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number”.
One bug relates to a hard-coded master password (CVE-2022-2107) and the other, resulting from improper authentication (CVE-2022-2141), potentially enables manipulator-in-the-middle (MitM) attacks.
The devices and the mobile interface are preconfigured with the default password ‘123456’, which BitSight classed as a high severity (CVSS 8.1) issue, although CISA declined to assign a CVE. “There is no mandatory rule to change the password nor is there any claiming process”, according to BitSight, which found that 94.5% of 1,000 responding device IDs still had the default password.
With the device ID easily predictable and the server seemingly lacking password brute force mitigations such as rate-limiting, attackers can easily access random GPS trackers.
A high severity (CVSS 7.5) reflected cross-site scripting (XSS) vulnerability affecting the main web server, meanwhile, could enable attackers to “fully compromise the device”.
The main web server also contains a pair of authenticated insecure direct object reference vulnerabilities, tracked as CVE-2022-34150 (CVSS 7.1) and CVE-2022-33944 (CVSS 6.5).
“Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features” is as potentially dangerous as it is useful, suggested BitSight.
“Unfortunately, the MiCODUS MV720 lacks basic security protections”, and with only “limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem”.
BitSight said it first disclosed the flaws to the vendor on September 9, 2021, and after responding initially, MiCODUS failed to reply to multiple subsequent requests for updates, both from BitSight and CISA. BitSight published its findings yesterday (July 19).