Security flaws in GPS trackers put global fleets at risk • The Register

A handful of vulnerabilities, some critical, in MiCODUS GPS tracker units could allow for criminals to disrupt fleet functions and spy on routes, or even remotely control or cut off gas to vehicles, according to CISA. And there’s no fixes for these safety flaws.

Two of the bugs gained a 9.8 out of 10 CVSS severity score. They can be exploited to mail commands to a tracker device to execute with no significant authentication the some others involve some degree of remote exploitation.

“Successful exploitation of these vulnerabilities could allow an attacker handle above any MV720 GPS tracker, granting obtain to location, routes, gas cutoff instructions, and the disarming of several capabilities (e.g., alarms),” the US govt company warned in an advisory posted Tuesday.

As of Monday, the gadget producer, dependent in China, had not offered any updates or patches to resolve the flaws, CISA extra. The agency also proposed fleet house owners and operators choose “defensive actions” to minimize hazard.

This evidently consists of making sure, exactly where probable, that these GPS tracers are not available from the net or networks that miscreants can get to. And when remote handle is necessary, CISA recommends employing VPNs or other secure techniques to command access. That appears like generic CISA guidance so possibly a actual workaround would be: stop utilizing the GPS units altogether.

Bitsight stability researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott discovered the 6 vulnerabilities and documented them to CISA immediately after hoping considering that September 2021 to share the findings with MiCODUS. 

“After fairly exhausting all alternatives to access MiCODUS, BitSight and CISA established that these vulnerabilities warrant community disclosure,” in accordance to a BitSight report [PDF] released on Tuesday.

About 1.5 million buyers and businesses use the GPS trackers, the scientists reported. This spans 169 nations around the world and includes governing administration agencies, military services, regulation enforcement, aerospace, strength, engineering, production and shipping organizations, they included.

“The exploitation of these vulnerabilities could have disastrous and even lifetime-threatening implications,” the report authors claimed, introducing:

For its research, the BitSight crew utilised the MV720 model, which it claimed is the company’s least high priced style with fuel slice-off features. The gadget is a mobile-enabled tracker that works by using a SIM card to transmit status and area updates to supporting servers and receive SMS commands.

Here is a rundown of the vulnerabilities:

CVE-2022-2107 is a challenging-coded password vuln in the MiCODUS API server. It received a 9.8 CVSS rating and allows a remote attacker to use a hardcoded learn password to log into the web server and ship SMS instructions to a target’s GPS tracker. 

These would appear like they are coming from the GPS owner’s cellular number, and could allow a miscreant to obtain command of any tracker, access and monitor auto location in serious time, slice off gas and disarm alarms or other functions presented by the gadget.

CVE-2022-2141, due to broken authentication, also been given a 9.8 CVSS rating. This flaw could make it possible for an attacker to mail SMS commands to the tracking machine devoid of authentication.

A default password flaw, which is in-depth in BitSight’s report but was not assigned a CVE by CISA, continue to “represents a significant vulnerability,” according to the protection vendor. There’s no mandatory rule that people adjust the default password, which ships as “123456,” on the units, and this would make it rather quick for criminals to guess or presume a tracker’s password.

CVE-2022-2199, a cross-site scripting vulnerability, exists in the main internet server and could allow for an attacker to entirely compromise a device by tricking its person into making a request — for case in point, by sending a malicious backlink in an e mail, tweet, or other message. It acquired a 7.5 CVSS rating

The main net server has an insecure immediate item reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter product IDs. This indicates they acknowledge arbitrary machine IDs devoid of even more verification.

“In this scenario, it is attainable to accessibility data from any Device ID in the server databases, irrespective of the logged-in person. More facts capable of escalating an assault could be obtainable, such as license plate quantities, SIM card figures, cellular quantities,” BitSight explained. It gained a 7.1 CVSS score.

And last but not least, CVE-2022-33944 is a further insecure direct item reference vuln on the primary internet server. This flaw, on the endpoint and Article parameter “Gadget ID,” accepts arbitrary gadget IDs, and acquired a severity rating of 6.5.

“BitSight suggests that men and women and corporations at present making use of MiCODUS MV720 GPS monitoring equipment disable these units until a fix is created readily available,” the report concluded. “Organizations employing any MiCODUS GPS tracker, irrespective of the model, must be alerted to insecurity about its program architecture, which may well location any system at possibility.” ®