Researchers: Chinese GPS tracker vulnerable
BOSTON — A popular Chinese-made automotive GPS tracker used in 169 countries has severe software vulnerabilities, posing a potential danger to highway safety, national security and supply chains, cybersecurity researchers have found.
A report by the Boston cybersecurity firm BitSight said the flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.
The researchers said users should immediately disable the MV720 GPS tracker until a fix becomes available. The report was released Tuesday to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing five vulnerabilities.
BitSight said it tried unsuccessfully for months — beginning in September, with CISA joining it in late April — to engage the manufacturer, Shenzen-based MiCODUS, in discussion to address the vulnerabilities.
CISA said in a statement that it was not aware of “any active exploitation” of the vulnerabilities.
GPS trackers are used globally to monitor vehicle fleets — from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.
Using the MV720, which BitSight says costs less than $25 per unit, a malicious user could remotely cut off the fuel line of a vehicle in motion, know a vehicle’s real-time location for espionage purposes or intercept and taint location or other data to sabotage operations, said the principal BitSight researcher on the project, Pedro Umbelino.
The main vulnerabilities: The device comes with a default password that more than 90% of users don’t change, and there is a second, obscure but hard-coded password that works for all devices, BitSight found.
The manufacturer, MiCODUS, claims an installed base of 1.5 million devices across 420,000 customers, BitSight said.