Cybersecurity firm Bitsight reported several major vulnerabilities in a popular GPS device that, if exploited, could grant hackers access to critical information about vehicles, and in some cases operating controls.
The MiCODUS MV720 is a widely available GPS device used in over 1.5 million vehicles in 169 countries for fleet control. Its customer base includes large companies, law enforcement and government agencies and national militaries. When installed, the MV720 is able to cut off fuel, track position, geofence (prevent travel outside of an area), disable and remotely control vehicles.
“Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security,” stated the report published by BitSight.
The list of vulnerabilities in the report describe several fundamental security gaps, including:
- A hard-coded master password that allows unauthenticated users to take full control over a device.
- A default device password of “123456” with no mandatory rule to change it.
- Cross-site scripting vulnerabilities that allow hackers to inject external code.
- Unencrypted communication on the device’s mobile app.
BitSight believes that other GPS devices produced by MiCODUS, an electronics manufacturer based in China, may have similar vulnerabilities.
“After multiple failed attempts to reach the manufacturer, BitSight shared its research with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), hoping CISA would be more successful in communicating with the vendor,” states the report. “CISA efforts to engage with the vendor have also been unsuccessful.”
CISA has issued an advisory regarding the vulnerabilities, and urges MV720 owners to remove them from their vehicles.