Security flaws in GPS trackers put global fleets at risk • The Register

A handful of vulnerabilities, some essential, in MiCODUS GPS tracker products could let criminals to disrupt fleet operations and spy on routes, or even remotely command or slice off fuel to autos, according to CISA. And you can find no fixes for these security flaws.

Two of the bugs received a 9.8 out of 10 CVSS severity ranking. They can be exploited to send out commands to a tracker product to execute with no meaningful authentication the some others entail some diploma of distant exploitation.

“Productive exploitation of these vulnerabilities could allow an attacker manage about any MV720 GPS tracker, granting accessibility to place, routes, gasoline cutoff instructions, and the disarming of several options (e.g., alarms),” the US governing administration company warned in an advisory posted Tuesday.

As of Monday, the gadget producer, based mostly in China, had not furnished any updates or patches to resolve the flaws, CISA additional. The agency also advised fleet owners and operators consider “defensive actions” to lessen chance.

This evidently includes making sure, in which possible, that these GPS tracers are not obtainable from the world wide web or networks that miscreants can get to. And when remote management is necessary, CISA endorses making use of VPNs or other safe methods to control entry. That sounds like generic CISA tips so maybe a genuine workaround would be: halt making use of the GPS gadgets completely.

Bitsight stability researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott learned the 6 vulnerabilities and noted them to CISA after striving due to the fact September 2021 to share the results with MiCODUS. 

“After moderately exhausting all choices to access MiCODUS, BitSight and CISA determined that these vulnerabilities warrant public disclosure,” according to a BitSight report [PDF] posted on Tuesday.

About 1.5 million individuals and organizations use the GPS trackers, the scientists claimed. This spans 169 countries and features authorities organizations, military, legislation enforcement, aerospace, vitality, engineering, manufacturing and shipping organizations, they extra.

“The exploitation of these vulnerabilities could have disastrous and even daily life-threatening implications,” the report authors claimed, adding:

For its study, the BitSight staff made use of the MV720 model, which it mentioned is the company’s least expensive style and design with gas lower-off performance. The device is a mobile-enabled tracker that uses a SIM card to transmit status and area updates to supporting servers and obtain SMS instructions.

This is a rundown of the vulnerabilities:

CVE-2022-2107 is a hard-coded password vuln in the MiCODUS API server. It been given a 9.8 CVSS score and will allow a remote attacker to use a hardcoded master password to log into the world wide web server and send SMS commands to a target’s GPS tracker. 

These would appear like they are coming from the GPS owner’s cell range, and could permit a miscreant to get management of any tracker, accessibility and keep track of car or truck location in genuine time, minimize off gas and disarm alarms or other capabilities presented by the gadget.

CVE-2022-2141, thanks to broken authentication, also acquired a 9.8 CVSS score. This flaw could allow an attacker to ship SMS commands to the tracking system without the need of authentication.

A default password flaw, which is detailed in BitSight’s report but was not assigned a CVE by CISA, still “signifies a significant vulnerability,” in accordance to the stability vendor. There is no necessary rule that customers improve the default password, which ships as “123456,” on the units, and this makes it fairly uncomplicated for criminals to guess or believe a tracker’s password.

CVE-2022-2199, a cross-website scripting vulnerability, exists in the key website server and could make it possible for an attacker to absolutely compromise a device by tricking its person into producing a ask for — for case in point, by sending a malicious link in an electronic mail, tweet, or other message. It received a 7.5 CVSS rating

The principal website server has an insecure immediate item reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter machine IDs. This means they accept arbitrary unit IDs with out even more verification.

“In this scenario, it is probable to accessibility data from any Gadget ID in the server database, regardless of the logged-in consumer. More details capable of escalating an attack could be available, these types of as license plate numbers, SIM card figures, mobile quantities,” BitSight explained. It acquired a 7.1 CVSS rating.

And finally, CVE-2022-33944 is one more insecure direct object reference vuln on the principal net server. This flaw, on the endpoint and Put up parameter “Device ID,” accepts arbitrary product IDs, and received a severity rating of 6.5.

“BitSight recommends that men and women and businesses now applying MiCODUS MV720 GPS tracking products disable these units right up until a take care of is made out there,” the report concluded. “Companies employing any MiCODUS GPS tracker, irrespective of the model, ought to be alerted to insecurity relating to its procedure architecture, which may possibly location any unit at hazard.” ®