Latest Cyber Security News

You are here: Home / General Cyber Security News / GPS tracker exploit puts the world’s most high-value individuals in real-world danger
July 20, 2022

Getty Photos

Security scientists have exposed a string of vulnerabilities in a massively common GPS tracker that could be exploited to disable the motor vehicles of some of the most higher-worth organisations in the planet.

The six “severe” vulnerabilities had been found out in the MiCODUS MV720 GPS tracker that researchers believe to be equipped in 1.5 million motor vehicles across 169 nations around the world.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The afflicted cars are imagined to be in use by the likes of Fortune 50 companies, militaries, governments, nuclear power operators, and law enforcement bodies.

The researchers at BitSight who discovered the security flaws claimed hackers could feasibly exploit them to stealthily keep track of the autos and remotely disable overall fleets of automobiles.

Staying in a position to track significant-benefit cars could likely guide to the tracking of government personnel and finding delicate locations these as safehouses.

BitSight said opportunity exploits could also lead to the immobilisation of emergency services automobiles – subsequently main to real-entire world harms – and halting civilian automobiles on dangerous motorways, for instance.

The GPS tracker is capable of checking true-time velocity, places, and historic routes, and can even remotely shut gasoline materials in the celebration of a theft, or disable attributes like alarms, the scientists explained.

The MiCODUS MV720 is a Shenzhen, China-made product and while the investigation was focused on this design, BitSight claimed other MiCODUS products may also be susceptible to the similar or identical exploits.

Commonly marketed in for around $20 on-line, the MV720 tracker has been assigned CVE tracking numbers for five of the six vulnerabilities the researchers discovered.

The total exploit chain has also been deemed so extreme that CISA has printed a dedicated security advisory and the CVSSv3 severity rating is 9.8/10 thanks to it currently being remotely exploitable and demanding a very low diploma of complexity.

BitSight said that CISA has produced repeated tries to disclose the findings with MiCODUS but has been fulfilled with disregard from the firm. The US cyber authority has subsequently concluded that the flaws require general public disclosure.

Vulnerability breakdown

Tough-coded password (API server) – CVE-2022-2107 – CVSSv3 score: 9.8 (critical)

This is one of the most serious vulnerabilities that make it possible for hackers to conduct the most severe actions soon after exploiting the device these as disabling alarms and gasoline materials and monitoring cars.

“Although the API server has an authentication mechanism, products use a challenging-coded learn password allowing for an attacker to log into the web server, impersonate the user, and right deliver SMS commands to the GPS tracker as if they were being coming from the GPS owner’s mobile amount,” BitSight claimed.

Broken authentication (API server/GPS tracker protocol) – CVE-2022-2141 – CVSS 3.1 score: 9.8 (critical)

The second critical-rated vulnerability will allow hackers to mail commands to the device more than SMS as if they have been the machine administrator.

This is since the tracker’s default password is established to 123456, as is the web interface and cell application. Researchers said this should be transformed but there is no prompt to do so from the company, and a lot of installations are left unchanged from the default settings.

The entire SMS instructions list involves sending a Google Maps connection to the device’s coordinates, altering the password, and resetting to factory defaults.

Default Password (API Server) – no CVE tracker – CVSS 3.1 rating: 8.1 (substantial)

The one particular vulnerability BitSight was not in a position to get a CVE tracker for was the fact that gadgets delivered with default passwords that did not implement a improve from the user. 

The scientists reported this represents a “severe vulnerability” in alone, though unsecured default passwords are all also common in IoT products.

The remaining vulnerabilities ranged in rating in between 6.5 (medium) to 7.5 (high). These had been:

  • CVE-2022-2199, CVSSv3 score: 7.5 (high): A cross-web page scripting (XSS) vulnerability could allow an attacker to attain manage by deceiving a user into building a request
  • CVE-2022-34150, CVSSv3 score: 7.1 (high): The key web server has an authenticated Insecure Immediate Item References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Machine IDs without further verification
  • CVE-2022-33944, CVSSv3 rating: 6.5 (medium): The major web server has an authenticated IDOR vulnerability on Post parameter “Device ID,” which accepts arbitrary Gadget IDs

Risk of death

BitSight stated the plausible dangers to large-worth men and women are “myriad”. Everybody from civilians to top politicians could be tracked, threatening private basic safety. Hackers could also use tracking info to notify burglaries of rich targets this sort of as enterprise leaders.

Hackers could also deploy ransomware to cars, demanding a ransom to restore it to performing purchase. The exact same form of attack could lead to source chain issues for some companies.

Emergency services motor vehicles could be disabled, most likely as a consequence of a ransomware attack, influencing the services’ skill to satisfy the need of people and actual-entire world criminal offense, for illustration. 

There was a situation in Germany in 2020 where by a lady was currently being transported to healthcare facility by an ambulance which was infected with ransomware en route.

At the time, it was believed to be the initial recognised circumstance of a cyber attack major to a loss of daily life, but a law enforcement investigation afterwards debunked the concept, indicating the woman’s well being was so lousy she possible would have died in any case. 

The risk to daily life stays, nonetheless, and especially with geopolitical relations involving the US and China remaining as tense as they are, industry experts explained to BitSight that the idea of China staying equipped to handle US automobiles is “a problem”. 


Some pieces of this short article are sourced from:
www.itpro.co.uk

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *