Bitsight Discovers Critical Vulnerabilities in Widely Used Vehicle GPS Tracker

Written by Noah Stone | Research by Pedro Umbelino

Executive Summary

• Bitsight has discovered six severe vulnerabilities in a popular vehicle GPS tracker (MiCODUS MV720) potentially allowing hackers to track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more.
   
• There are believed to be 1.5 million MiCODUS devices, across 169 countries, in use today by individual consumers, government agencies, militaries, law enforcement, and corporations. Organizations identified by Bitsight using MiCODUS GPS trackers include a Fortune 50 energy, oil and gas company; a national military in South America; a Fortune 50 technology company; a nuclear power plant operator; and a state on the East Coast of the United States.
   
• Given the impact and severity of the vulnerabilities found, Bitsight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers until a fix is made available by the company as there is no known workaround.
   
• Repeated attempts by Bitsight and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to share information with Shenzhen, China-based manufacturer MiCODUS were disregarded. Bitsight and CISA determined that these vulnerabilities require disclosure.
   
• CISA has assigned the following CVE references for five of the discovered vulnerabilities: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150, CVE-2022-33944. The ICS-CERT advisory can be found here.

View the full report with technical analysis, available here.

What device is affected, how is it used, and who is using it?

The affected GPS tracking device is the MiCODUS MV720, manufactured by Shenzhen, China-based company MiCODUS. Although our research focused on the MV720, we believe other MiCODUS models may be vulnerable due to flaws we discovered in the MiCODUS architecture.

Consumers, militaries, law enforcement agencies, and corporations install MiCODUS GPS trackers in vehicles to monitor real-time locations and speeds, historical routes, and to remotely cut off fuel in the event of theft. Users access a dashboard, or use SMS text messaging, to send commands directly to deployed devices.

MiCODUS claims there are 1.5 million of its GPS tracker devices in use today. Bitsight observes MiCODUS devices across 169 countries. Bitsight identified devices deployed by government, military, and police agencies, and corporations spanning a variety of industries including aerospace, engineering, manufacturing, shipping, and more.

Each MV720 is sold for approximately $20.00 on Amazon, Aliexpress, Ebay, Alibaba, and other major online retailers, making it available to anyone.

Vulnerabilities Discovered

CISA has assigned the following CVEs to five of the six vulnerabilities Bitsight discovered:

CVSS 9.8 (Critical)
CVE-2022-2107
The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.

CVSS 9.8 (Critical)
CVE-2022-2141
Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.

CVSS 7.5 (High)
CVE-2022-2199
A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.

CVSS 7.1 (High)
CVE-2022-34150
The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.

CVSS 6.5 (Medium)
CVE-2022-33944
The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.

Attacks could result in loss of life, supply chain disruption, unlawful tracking, data breach, and more

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. Bitsight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”

Bitsight discovered the MV720 to be vulnerable to a variety of attacks, including man-in-the-middle (MITM) attacks, authentication bypass, and persistent invisible monitoring. Successful exploitation of such vulnerabilities allows for the following potential scenarios:

Unlawful tracking, human safety, and data privacy

• Civilians, politicians, business leaders, and others could be tracked without their knowledge or consent, threatening personal safety and confidentiality. Unlawful tracking is a growing privacy concern.
   
• Bad actors could learn the travel routes of unsuspecting home or business owners, informing planned burglaries or other criminal activities.
   

Vehicle disablement and supply chain disruption

• An attacker could cut fuel to a civilian’s vehicle and deploy ransomware, demanding a ransom to return the vehicle to working condition.
   
• An attacker could deploy ransomware to vehicles in an organization’s commercial vehicle fleet, potentially inducing supply shortages and disrupting business continuity for both the targeted organization and supply chain partners.

National security implications

• Bitsight confirms that national militaries are using MiCODUS GPS trackers, potentially presenting a myriad of national security issues. A nation-state adversary could potentially exploit the tracker’s vulnerabilities to gather intelligence on military-related movements including supply routes, regular troop movements, and recurring patrols.

Emergency vehicle disruption

• An attacker could potentially cut fuel to a fleet of emergency vehicles, demanding a ransom to return the vehicles to working condition, significantly delaying emergency response. Criminals could disable emergency vehicles for the sole purpose of delaying police response to a planned crime.
   

MiCODUS GPS devices are used by major organizations around the globe

Bitsight observes several major governments and companies using MiCODUS GPS trackers, some of which include:

• A Fortune 50 energy, oil and gas company
• A Fortune 50 aerospace company
• A national military in South America
• A national government in Western Europe
• A Fortune 50 professional services company
• A national government in the Middle East
• A national law enforcement organization in Western Europe
• A nuclear power plant operator
• A national military in Eastern Europe
• A Fortune 50 technology company
• A national government ministry in North America
• A Fortune 50 manufacturing conglomerate
• A state on the East Coast of the United States

Additionally, we identified Ukraine as having the most MiCODUS GPS trackers in all of Europe. A state-owned Ukrainian transportation system and a leading bank in Kiev are confirmed to be MiCODUS users.

The use of MiCODUS GPS trackers around the globe is illustrated by the below interactive map, where every red point represents a MiCODUS user. GPS coordinates are not representative of actual locations.

Short-term recommendations to protect yourself

Users of the MV720 should take prompt action to protect themselves from the device’s vulnerabilities. Bitsight recommends users immediately discontinue use or disable any MiCODUS MV720 GPS trackers until a fix is made available. The device typically requires professional installation, so users may need to consult with a mechanic to properly disable the device(s).

The MiCODUS MV720 will not be the final device discovered to have critical vulnerabilities capable of threatening business operations, human safety, national security, and more. The next critical vulnerability could be discovered in another GPS tracker, medical sensor, smart fire alarm, or other IoT device. Bitsight urges organizations to make every effort to preempt the next critical vulnerability by managing their adoption, and third party adoption, of IoT devices.

View the full report with technical analysis, available here.

Watch Free GPS Vulnerabilities Tracker Webinar

In this conversation featuring Bitsight Principal Security Researcher, Pedro Umbelino, and Co-Founder Stephen Boyer, you’ll gain insight into:

• Sector and country exposure to GPS trackers
• Supply chain risk
• Advice for security professionals on managing IOT device risk