A handful of vulnerabilities, some essential, in MiCODUS GPS tracker products could allow for criminals to disrupt fleet operations and spy on routes, or even remotely management or slice off gas to motor vehicles, according to CISA. And there’s no fixes for these security flaws.
Two of the bugs been given a 9.8 out of 10 CVSS severity score. They can be exploited to mail commands to a tracker gadget to execute with no meaningful authentication the others contain some degree of distant exploitation.
“Prosperous exploitation of these vulnerabilities could allow for an attacker management around any MV720 GPS tracker, granting entry to place, routes, gasoline cutoff instructions, and the disarming of different functions (e.g., alarms),” the US federal government agency warned in an advisory posted Tuesday.
As of Monday, the gadget manufacturer, based mostly in China, had not delivered any updates or patches to deal with the flaws, CISA included. The agency also proposed fleet proprietors and operators consider “defensive measures” to minimize threat.
This evidently features making certain, wherever doable, that these GPS tracers are not accessible from the net or networks that miscreants can get to. And when distant control is required, CISA endorses utilizing VPNs or other safe solutions to command access. That seems like generic CISA tips so perhaps a real workaround would be: stop working with the GPS gadgets completely.
Bitsight safety researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott found out the 6 vulnerabilities and reported them to CISA just after hoping because September 2021 to share the findings with MiCODUS.
“Just after moderately exhausting all selections to reach MiCODUS, BitSight and CISA decided that these vulnerabilities warrant community disclosure,” according to a BitSight report [PDF] released on Tuesday.
About 1.5 million individuals and businesses use the GPS trackers, the researchers reported. This spans 169 nations around the world and consists of government organizations, armed service, legislation enforcement, aerospace, energy, engineering, producing and shipping providers, they added.
“The exploitation of these vulnerabilities could have disastrous and even daily life-threatening implications,” the report authors claimed, adding:
For its research, the BitSight group employed the MV720 model, which it explained is the firm’s the very least pricey layout with gas slice-off functionality. The device is a cellular-enabled tracker that takes advantage of a SIM card to transmit status and location updates to supporting servers and get SMS instructions.
Here’s a rundown of the vulnerabilities:
CVE-2022-2107 is a tough-coded password vuln in the MiCODUS API server. It been given a 9.8 CVSS score and permits a distant attacker to use a hardcoded master password to log into the net server and send out SMS commands to a target’s GPS tracker.
These would appear like they are coming from the GPS owner’s cell selection, and could allow for a miscreant to get regulate of any tracker, obtain and monitor vehicle area in serious time, lower off gas and disarm alarms or other options presented by the gadget.
CVE-2022-2141, due to broken authentication, also received a 9.8 CVSS score. This flaw could make it possible for an attacker to mail SMS commands to the monitoring gadget without authentication.
A default password flaw, which is detailed in BitSight’s report but wasn’t assigned a CVE by CISA, nonetheless “represents a critical vulnerability,” according to the security seller. There is certainly no mandatory rule that consumers adjust the default password, which ships as “123456,” on the units, and this will make it very straightforward for criminals to guess or assume a tracker’s password.
CVE-2022-2199, a cross-web site scripting vulnerability, exists in the key net server and could permit an attacker to absolutely compromise a device by tricking its person into creating a request — for case in point, by sending a destructive backlink in an electronic mail, tweet, or other information. It acquired a 7.5 CVSS score
The key web server has an insecure immediate item reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter device IDs. This implies they take arbitrary product IDs with out additional verification.
“In this scenario, it is attainable to entry info from any Device ID in the server database, no matter of the logged-in consumer. Additional facts capable of escalating an attack could be out there, this sort of as license plate figures, SIM card quantities, mobile quantities,” BitSight spelled out. It obtained a 7.1 CVSS score.
And finally, CVE-2022-33944 is one more insecure immediate item reference vuln on the major website server. This flaw, on the endpoint and Post parameter “Device ID,” accepts arbitrary device IDs, and been given a severity rating of 6.5.
“BitSight endorses that men and women and corporations currently applying MiCODUS MV720 GPS monitoring products disable these equipment until finally a repair is produced out there,” the report concluded. “Organizations using any MiCODUS GPS tracker, regardless of the product, should really be alerted to insecurity with regards to its system architecture, which may place any device at hazard.” ®