Critical Vulnerabilities in MiCODUS MV720 GPS Trackers Allow Remote Car Hacking

By Riley ThompsonTechnology News

Critical Vulnerabilities in MiCODUS MV720 GPS Trackers Expose 1.5 Million Vehicles

Cybersecurity experts have discovered serious security issues in the MiCODUS MV720 GPS tracker, a device used in approximately 1.5 million vehicles across 169 countries. The device contains six vulnerabilities that could allow attackers to remotely compromise vehicles.

Who Uses the MiCODUS MV720?

According to researchers at BitSight, these GPS trackers are used by many Fortune 50 companies, as well as government agencies, military, law enforcement, aerospace, shipping, and manufacturing organizations.

If a hacker exploits the vulnerabilities in the MV720, they could track vehicles, immobilize them, collect route information, or manipulate data. Researchers warn that such attacks could have serious national security implications for multiple countries.

Why Is the MiCODUS MV720 a Target?

The MiCODUS MV720 is a popular and affordable device (about $20 USD) that offers cellular tracking features and can even be used for potentially dangerous actions, such as cutting off a vehicle’s fuel supply.

Details of the Vulnerabilities

  • CVE-2022-2107 (CVSS 9.8): Hardcoded master password on the API server allows a remote, unauthenticated attacker to take control of any MV720 tracker, cut off fuel, track users, and disable alarms.
  • CVE-2022-2141 (CVSS 9.8): Broken authentication scheme allows anyone to send SMS commands to the GPS tracker and execute them with admin privileges.
  • No CVE assigned (CVSS 8.1): Weak default password (“123456”) on all MV720 trackers, with no requirement for users to change it after initial setup.
  • CVE-2022-2199 (CVSS 7.5): XSS vulnerability on the main web server allows attackers to access user accounts, interact with applications, and view all information available to a specific user.
  • CVE-2022-34150 (CVSS 7.1): Insecure direct object reference on the main web server allows logged-in users to access data for any ID in the server database.
  • CVE-2022-33944 (CVSS 6.5): Insecure direct object reference on the main web server allows unauthorized users to generate Excel reports on GPS tracker activity.

Proof of Concept and Disclosure Timeline

BitSight experts developed five proof-of-concept exploits for the vulnerabilities with assigned CVEs and demonstrated their use in real-world scenarios.

The vulnerabilities were first discovered on September 9, 2021. BitSight attempted to contact MiCODUS engineers immediately, but repeated efforts to reach the company and find someone to accept the vulnerability report were unsuccessful. On January 14, 2022, BitSight shared all technical details with the U.S. Department of Homeland Security and asked them to contact the vendor directly.

No Fixes Available Yet

Unfortunately, MiCODUS MV720 GPS trackers remain vulnerable, as the manufacturer has not yet released patches for these issues.

“BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS trackers disable these devices until fixes are available,” the researchers wrote. “Organizations using any MiCODUS GPS tracker, regardless of model, should be aware of the insecure system architecture, which could put any device at risk.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued its own security bulletin warning that MiCODUS devices may pose a threat.

Leave a Reply