Baltimore Sun

Researcher­s: Chinese GPS tracker vulnerable

- By Frank Bajak

BOSTON — A popular Chinese-made automotive GPS tracker used in 169 countries has severe software vulnerabil­ities, posing a potential danger to highway safety, national security and supply chains, cybersecur­ity researcher­s have found.

A report by the Boston cybersecur­ity firm BitSight said the flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.

The researcher­s said users should immediatel­y disable the MV720 GPS tracker until a fix becomes available. The report was released Tuesday to coincide with an advisory from the U.S. Cybersecur­ity and Infrastruc­ture Security Agency listing five vulnerabil­ities.

BitSight said it tried unsuccessf­ully for months — beginning in September, with CISA joining it in late April — to engage the manufactur­er, Shenzen-based MiCODUS, in discussion to address the vulnerabil­ities.

CISA said in a statement that it was not aware of “any active exploitati­on” of the vulnerabil­ities.

GPS trackers are used globally to monitor vehicle fleets — from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.

Using the MV720, which BitSight says costs less than $25 per unit, a malicious user could remotely cut off the fuel line of a vehicle in motion, know a vehicle’s real-time location for espionage purposes or intercept and taint location or other data to sabotage operations, said the principal BitSight researcher on the project, Pedro Umbelino.

The main vulnerabil­ities: The device comes with a default password that more than 90% of users don’t change, and there is a second, obscure but hard-coded password that works for all devices, BitSight found.

The manufactur­er, MiCODUS, claims an installed base of 1.5 million devices across 420,000 customers, BitSight said.

Newspapers in English

Newspapers from United States