Security flaws in GPS trackers put global fleets at risk • The Register

A handful of vulnerabilities, some essential, in MiCODUS GPS tracker products could permit criminals to disrupt fleet functions and spy on routes, or even remotely handle or slice off gasoline to motor vehicles, according to CISA. And there is certainly no fixes for these stability flaws.

Two of the bugs been given a 9.8 out of 10 CVSS severity rating. They can be exploited to deliver commands to a tracker system to execute with no significant authentication the other individuals involve some degree of remote exploitation.

“Effective exploitation of these vulnerabilities could enable an attacker regulate above any MV720 GPS tracker, granting entry to site, routes, fuel cutoff instructions, and the disarming of various functions (e.g., alarms),” the US governing administration company warned in an advisory posted Tuesday.

As of Monday, the gadget manufacturer, based mostly in China, had not presented any updates or patches to resolve the flaws, CISA included. The agency also recommended fleet homeowners and operators acquire “defensive measures” to decrease danger.

This apparently contains ensuring, where by doable, that these GPS tracers are not available from the internet or networks that miscreants can get to. And when remote handle is required, CISA recommends applying VPNs or other protected procedures to manage obtain. That seems like generic CISA advice so perhaps a genuine workaround would be: cease working with the GPS equipment entirely.

Bitsight stability researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott discovered the 6 vulnerabilities and noted them to CISA immediately after striving considering that September 2021 to share the conclusions with MiCODUS. 

“Following moderately exhausting all choices to reach MiCODUS, BitSight and CISA established that these vulnerabilities warrant community disclosure,” in accordance to a BitSight report [PDF] printed on Tuesday.

About 1.5 million customers and businesses use the GPS trackers, the scientists mentioned. This spans 169 international locations and involves government companies, military services, law enforcement, aerospace, electricity, engineering, manufacturing and shipping providers, they extra.

“The exploitation of these vulnerabilities could have disastrous and even existence-threatening implications,” the report authors claimed, adding:

For its research, the BitSight workforce used the MV720 design, which it stated is the firm’s least pricey style and design with fuel cut-off functionality. The system is a mobile-enabled tracker that takes advantage of a SIM card to transmit status and location updates to supporting servers and acquire SMS commands.

This is a rundown of the vulnerabilities:

CVE-2022-2107 is a tricky-coded password vuln in the MiCODUS API server. It been given a 9.8 CVSS rating and allows a distant attacker to use a hardcoded master password to log into the world-wide-web server and ship SMS instructions to a target’s GPS tracker. 

These would appear like they are coming from the GPS owner’s cell number, and could enable a miscreant to gain handle of any tracker, entry and track car or truck location in actual time, reduce off fuel and disarm alarms or other functions offered by the gadget.

CVE-2022-2141, thanks to damaged authentication, also gained a 9.8 CVSS rating. This flaw could allow for an attacker to mail SMS instructions to the monitoring unit without having authentication.

A default password flaw, which is thorough in BitSight’s report but wasn’t assigned a CVE by CISA, continue to “represents a severe vulnerability,” in accordance to the security seller. There is no required rule that customers change the default password, which ships as “123456,” on the units, and this makes it pretty effortless for criminals to guess or presume a tracker’s password.

CVE-2022-2199, a cross-web page scripting vulnerability, exists in the primary internet server and could allow an attacker to absolutely compromise a device by tricking its person into producing a request — for illustration, by sending a malicious hyperlink in an e mail, tweet, or other message. It received a 7.5 CVSS score

The primary world wide web server has an insecure direct item reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter system IDs. This implies they accept arbitrary unit IDs without the need of even further verification.

“In this situation, it is feasible to obtain info from any Unit ID in the server databases, no matter of the logged-in person. Further info capable of escalating an attack could be out there, these kinds of as license plate figures, SIM card figures, cellular numbers,” BitSight spelled out. It received a 7.1 CVSS score.

And eventually, CVE-2022-33944 is another insecure immediate item reference vuln on the main internet server. This flaw, on the endpoint and Write-up parameter “Product ID,” accepts arbitrary product IDs, and received a severity rating of 6.5.

“BitSight suggests that people today and corporations at this time using MiCODUS MV720 GPS monitoring equipment disable these units until finally a repair is produced accessible,” the report concluded. “Companies applying any MiCODUS GPS tracker, regardless of the design, should really be alerted to insecurity regarding its program architecture, which may perhaps location any product at risk.” ®