BitSight Discovers Critical Vulnerabilities in Widely Used Vehicle GPS Tracker

[The_Heretic]

Really should start finding other sources for some of this tech.

BOSTON – July 19, 2022 – BitSight announced today the discovery of six severe vulnerabilities in the MiCODUS MV720 GPS Tracker, a popular vehicle GPS tracker made in China and used worldwide by consumers for theft protection and location management, and by organizations for vehicle fleet management. If exploited in an attack, threat actors could not only access and control the tracker – they could potentially cut off fuel, physically stop vehicles, or surveil movement of vehicles in which the device is installed.

MiCODUS is a Shenzhen, China-based manufacturer and supplier of automotive electronics and accessories which has 1.5 million GPS tracking devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies. The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities.

BitSight’s research revealed MiCODUS devices deployed worldwide by individual consumers; government, military, and law enforcement agencies; and corporations spanning a variety of industries such as aerospace, energy, engineering, manufacturing, shipping, and more. Given the impact and severity of the vulnerabilities found, BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers until a fix is made available by the company as there is no known workaround.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”

https://www.bitsight.com/press-rele...lnerabilities-widely-used-vehicle-gps-tracker

 

[Lakados]

I am a firm believer that you can make something easy to use and integrate or you can make it secure, you can't do both.
The device is designed to do all those things, what they have is a back door, intentional or otherwise in a product that is doing what it is supposed to. They are just playing up that it is made in China like that is some sort of shock to them.

 

[Zarathustra[H]]

Why would a vehicle tracker even have access to a vehicles other systems? That is an insane design choice.

 

[Lakados]

Why would a vehicle tracker even have access to a vehicles other systems? That is an insane design choice.

It's exactly designed to do those things as it is primarily a theft prevention and monitoring device.

Main Functions:
1. Hidden Design and Easy Installation
relay outlook design makes the device very convenient for hide and install
2. Wide Operating Voltage 10-40V DC, compatible with vehicles on the market!
3. Remotely Cut Off & Resume Fuel
Once your vehicle was stolen or meet any emergency, you will can remotely cut off the fuel via SMS command or APP to stop the vehicle, of course you also can resume the fuel remotely.
4. GPS+LBS Double Positioning Ways
If the gps signal is good, the device will locate via gps satellite, if not, the device will locate via LBS! Under GPS locating mode, the accuracy is 5-10 meters, under LBS locating mode, the accuracy is 100-1000 meters!
5. Realtime Tracking
You will can realtime track the device on google maps via mobilephone, tablet and computer, and the minumum data upload interval is 10 seconds!
6. History Route Playback
The APP and web server can record the upload data of the device up to 6 months, you will can playback the history route at any time!
7. Power Saving Mode
The device will go into standby mode automatically when there isn't vibration for 3 minutes , it will go into working mode when it detect vibration again
8. Overspeed Alarm
This alarm works only under continuous positioning mode.When the unit speed is exceed the speed you presetted, it will send message ldquospeed alarm!rdquo to the admin number every 5 minutes.
9. Shake Alarm
After you did the shake alarm setting,please keep the tracker being stationary for 5 minutes, then this function will start working. It will send SMS ldquosensor alarm!rdquo to the admin number when the unit get shocked.
10. Movement Alarm
When the units stays immobile in a place for 10 minutes, the user can set up the movement alarm by this command "move+passord", then in case the device moved 500m it will send alarm SMS "Move Alarm+Latitude and longitude" to the authorized number.
11. Virtual Fence
Set up a virtual fence for the tracker to restrict its movements within a district. The unit will send alarm information to APP and web server when it goes out of or get in this district.
12. Sleep Mode
* Sleep by time mode
After did this setting, tracker will only work for 5 minutes after being waked up, and back to sleep mode, GPS will shut off and GSM will works in low consumption mode. SMS, call will can wake up the tracker.
* Sleep by shock sensor mode
After did this setting, if no shock for 5 minutes, the tracker will work under "sleep by shock" mode, GPS will shut off, GSM will works in low consumption. Vibration, SMS, call will can wake up the tracker.
13. Illegal Cutting Line Alarm Under arm mode, if someone cut the wires of the device, you will can get alarm information from the device
14. LIFETIME FREE WEB TRACKING SOFTWARE AND MOBILE APP !

 

[Darunion]

The chinglish in that is so bad it basically tells me not to buy it or connect it to anything i own.

 

[Meeho]

The chinglish in that is so bad it basically tells me not to buy it or connect it to anything i own.

Me so good, me track you long time, 15 dolla! Me tracky, tracky!

 

[TheBuzzer]

sounds like the main problem is a "hacker" can hack into the gps of cars and stop the car from sending fuel.

btw they already post what the hack is
https://www.bitsight.com/sites/default/files/2022-07/MiCODUS-GPS-Report-Final.pdf

So mainly their site auth system is flawed and they can access any gps. But this also means the company itself could already access any gps and do the same thing.

 

[Mchart]

Remember- It’s federally mandated in the US here soon that every new vehicle sold will have this type of thing built in.

It amazes me that people think this won’t turn into a shit show. I’m holding onto my cheap Hyundai as long as possible.