BitSight Unearths Severe Vehicle GPS Tracker Vulnerabilities


Many drivers rely on vehicle GPS trackers daily to locate and reach their next destination. But just imagine, someone attacking that tracker and cutting fuel, physically stopping the vehicle or surveilling the movement of the vehicle.

To most, it would not seem possible. However, BitSight discovered six severe vulnerabilities in the MiCODUS MV720 GPS Tracker that, if exploited in an attack, could result in any or all of those acts.

 MiCODUS is a manufacturer and supplier of automotive electronics and accessories based in Shenzhen, China, that has 1.5 million GPS tracking devices in use across 420,000 customers, including government, military, law enforcement agencies and Fortune 1000 companies. The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities.

The more severe attack scenarios at risk upon the potential exploitation of these vulnerabilities, which earned as high as a 9.8 CVSS score, include:

  • Remotely cutting off the fuel line of a vehicle in motion.
  • Gaining access to vehicle location information, user routes, geofences and real-time location tracking for surveillance purposes.
  • Monitoring and controlling all communications to and from the GPS tracker, including intentionally issuing incorrect vehicle location information to the GPS server.

BitSight is recommending users to immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available by the company as there is no known workaround.

"The vulnerabilities we discovered affecting the MiCODUS MV720 would allow for many possible attack scenarios where a bad actor could easily gain complete control over any GPS tracker of this type," said Pedro Umbelino, principal security researcher at BitSight. "Unfortunately, these vulnerabilities are not difficult to exploit.”

BitSight shared its research with the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency when its vulnerability disclosure efforts to MiCODUS were disregarded. BitSight and CISA determined that these vulnerabilities require disclosure. This action is providing organizations and device users with the information they need to protect themselves.

"The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organizations if not addressed," said BitSight CEO Stephen Harvey. "Our research highlights why it is critical for organizations to consider internet of things devices in cyber resilience efforts. Implementing internet-connected devices like the MiCODUS GPS trackers can expand an organization's attack surface and expose individual consumers to new risks.”

CISA, in collaboration with BitSight, issued a public advisory detailing the notable common vulnerabilities and exposures that were discovered.

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

IoTevolutionworld Editor

Related Articles

Minnesota Vikings Turn to Zebra for Player Performance Analysis

By: Greg Tavarez    9/21/2023

The Zebra MotionWorks Sport system RFID tracking technology captures player and ball data for each of the Minnesota Vikings' practice sessions this se…

Read More

Agenda Announced for 5G Expo at IoT Evolution, Fort Lauderdale, February 13-15, 2024

By: TMCnet News    9/20/2023

Driving Enterprise Adoption, Exploring New Connectivity Solutions and Fostering Partnerships

Read More

Technology for Good: ALE and Nokia Partner to Support Grand Paris Express

By: Alex Passett    9/19/2023

Alcatel-Lucent Enterprise and Nokia have partnered to support the Grand Paris Express, one of Europe's largest metro rail projects.

Read More

Quasar and PTC Establish a Data-Driven Partnership for IoT

By: Alex Passett    9/19/2023

Quasar is partnering with PTC to bolster TSDB and industrial connectivity capabilities.

Read More

Treon, Ready to Triumph: 5.5M Euros Series A Funding with Ventech to Power New US Expansion

By: Alex Passett    9/18/2023

Massive IoT company Treon successfully closed a new funding round to boost its international growth.

Read More