Security flaws in GPS trackers can be abused to cut off fuel to vehicles, CISA warns

A handful of vulnerabilities, some critical, in MiCODUS GPS tracker devices could allow criminals to disrupt fleet operations and spy on routes, or even remotely control or cut off fuel to vehicles, according to CISA. And there's no fixes for these security flaws.

Two of the bugs received a 9.8 out of 10 CVSS severity rating. They can be exploited to send commands to a tracker device to execute with no meaningful authentication; the others involve some degree of remote exploitation.

"Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms)," the US government agency warned in an advisory posted Tuesday.

As of Monday, the gadget manufacturer, based in China, had not provided any updates or patches to fix the flaws, CISA added. The agency also recommended fleet owners and operators take "defensive measures" to minimize risk.

This apparently includes ensuring, where possible, that these GPS tracers are not accessible from the internet or networks that miscreants can get to. And when remote control is required, CISA recommends using VPNs or other secure methods to control access. That sounds like generic CISA advice so perhaps a real workaround would be: stop using the GPS devices altogether.

Bitsight security researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott discovered the six vulnerabilities and reported them to CISA after trying since September 2021 to share the findings with MiCODUS. 

"After reasonably exhausting all options to reach MiCODUS, BitSight and CISA determined that these vulnerabilities warrant public disclosure," according to a BitSight report [PDF] published on Tuesday.

About 1.5 million consumers and organizations use the GPS trackers, the researchers said. This spans 169 countries and includes government agencies, military, law enforcement, aerospace, energy, engineering, manufacturing and shipping companies, they added.

"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," the report authors claimed, adding:

For its research, the BitSight team used the MV720 model, which it said is the company's least expensive design with fuel cut-off functionality. The device is a cellular-enabled tracker that uses a SIM card to transmit status and location updates to supporting servers and receive SMS commands.

Here's a rundown of the vulnerabilities:

CVE-2022-2107 is a hard-coded password vuln in the MiCODUS API server. It received a 9.8 CVSS score and allows a remote attacker to use a hardcoded master password to log into the web server and send SMS commands to a target's GPS tracker. 

These would look like they are coming from the GPS owner's mobile number, and could allow a miscreant to gain control of any tracker, access and track vehicle location in real time, cut off fuel and disarm alarms or other features provided by the gadget.

CVE-2022-2141, due to broken authentication, also received a 9.8 CVSS score. This flaw could allow an attacker to send SMS commands to the tracking device without authentication.

• Botnet malware disguises itself as password cracker for industrial controllers
• Homeland Security warns: Expect Log4j risks for 'a decade or longer'
• What to do about inherent security flaws in critical infrastructure?
• CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure

A default password flaw, which is detailed in BitSight's report but wasn't assigned a CVE by CISA, still "represents a severe vulnerability," according to the security vendor. There's no mandatory rule that users change the default password, which ships as "123456," on the devices, and this makes it pretty easy for criminals to guess or assume a tracker's password.

CVE-2022-2199, a cross-site scripting vulnerability, exists in the main web server and could allow an attacker to fully compromise a device by tricking its user into making a request — for example, by sending a malicious link in an email, tweet, or other message. It received a 7.5 CVSS rating

The main web server has an insecure direct object reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter device IDs. This means they accept arbitrary device IDs without further verification.

"In this case, it is possible to access data from any Device ID in the server database, regardless of the logged-in user. Additional information capable of escalating an attack could be available, such as license plate numbers, SIM card numbers, mobile numbers," BitSight explained. It received a 7.1 CVSS rating.

And finally, CVE-2022-33944 is another insecure direct object reference vuln on the main web server. This flaw, on the endpoint and POST parameter "Device ID," accepts arbitrary device IDs, and received a severity score of 6.5.

"BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available," the report concluded. "Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk." ®