The MV720 GPS tracker is manufactured by a China-based firm MiCODUS which was knowledgeable in regards to the flaws again in September 2021 but it has not fastened the difficulty.
Cybersecurity startup BitSight has recognized six flaws within the GPS tracker MV720 manufactured by China-based MiCODUS. In accordance with the IT safety researchers at BitSight the crucial safety vulnerabilities have been current in MV720 GPS trackers, used primarily for monitoring car fleets. The vulnerabilities can enable hackers to trace, cease, and management automobiles remotely.
To your data, MV720 is a hardwired GPS tracker value round $20. The Shenzhen-based MiCODUS electronics maker claims that 1.5 million of its GPS trackers are at the moment in use by over 420,000 clients throughout 169 international locations.
Moreover, its purchasers embrace a number of Fortune 50 firms, transport, aerospace, authorities, army, crucial infrastructure, regulation enforcement companies, and a nuclear energy plant operator.
Vulnerabilities Particulars
BitSight has detected six extreme vulnerabilities within the abovementioned tracker, which could be simply exploited remotely to trace a car in real-time, get details about earlier routes, and even lower the automobiles’ engines when in movement.
BitSight’s principal safety researcher and report creator, Pedro Umbelino, defined that the vulnerabilities’ straightforward exploitation raises “vital questions” in regards to the firm’s merchandise because the bugs will not be restricted to at least one GPS tracker mannequin. He believes the identical flaws are current in different tracker fashions.
Risks Posed by the Flaws
In accordance with BitSight’s weblog submit, one flaw in MV720 is in unencrypted HTTP communications, permitting hackers to remotely conduct adversary-in-the-middle assaults (AiTM) to intercept/change the requests exchanged between the servers and the cellular utility.
One other flaw is discovered within the tracker’s authentication mechanism within the cellular app, which lets attackers entry the hardcoded key to lock down the trackers and use a customized IP tackle. This permits hackers to watch and management communications to and from the gadget.
The vulnerability tracked as CVE-2022-2107 is assigned a severity score of 9.8 out of 10. It’s a hardcoded password that MiCODUS trackers use as a grasp password. If obtained by hackers, they’ll use this passcode to log into the net server and pose as an genuine consumer to ship instructions to the tracker through SMS communications.
Therefore, they’ll absolutely management any GPS tracker, entry location particulars, disarm the alarm, change routes and geofences, and lower off automobiles’ gas.
One other vulnerability tracked as CVE-2022-2141 allows a damaged authentication state within the protocol utilized by the tracker to speak with the MiCODUS server. Then there’s a mirrored cross-site scripting error recognized within the Internet server. Monitoring designations of different vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.
In its technical write-up , BitSight warned MiCODUS in September 2021 in regards to the flaws. Nonetheless, after the corporate’s lukewarm response, CISA and BitSight determined to make the findings public. The vulnerabilities are nonetheless unpatched. BitSight recommends that each one organizations and people utilizing MV720 GPS trackers instantly disable the gadgets till they’re patched.
Organizations and people utilizing MV720 gadgets of their automobiles are in danger. Leveraging our proprietary information units, BitSight found MiCODUS gadgets utilized in 169 international locations by organizations together with authorities companies, army, and regulation enforcement, in addition to companies spanning quite a lot of sectors and industries together with aerospace, vitality, engineering, manufacturing, transport, and extra. Given the affect and severity of the vulnerabilities discovered, it’s extremely really helpful that customers instantly cease utilizing or disable any MiCODUS MV720 GPS trackers till a repair is made accessible.
BitSight
Extra Associated Subjects
- Lady Follows GPS, Goes Straight into Lake
- 600,000 GPS little one trackers discovered weak to location monitoring
- Safety Flaws in GPS Trackers Places Thousands and thousands of Gadgets’ Knowledge at Threat
- Shoddy safety of smartwatch lets hackers entry your little one’s location
- Strava’s World Warmth Map Exposes Person Areas Together with Army Bases
