Hackers can exploit vulnerabilities in a popular GPS tracking device used around the world for vehicle fleet management across many industry sectors. The tracker, made by a Chinese company called MiCODUS, is widely available to purchase from online retailers and has anti-theft, fuel cut off, remote control, and geofencing capabilities.
"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," researchers from cyber security assessment firm BitSight said in a report.
"For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways.
"Attackers could choose to surreptitiously track individuals or demand ransom payments to return disabled vehicles to working condition. There are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security."
BitSight said it repeatedly attempted to establish a technical security contact with MiCODUS since September to share its findings but was only able to reach the company's sales department, which wasn't helpful.
The researchers then contacted the U.S. Department of Homeland Security, which runs the Cybersecurity and Infrastructure Security Agency (CISA), to help with the vulnerability disclosure coordination.
The MiCODUS GPS tracking infrastructure
The researchers investigated the MiCODUS MV720, a hardwired cellular-enabled GPS tracking device for vehicles that has fuel cut-off functionality and can take commands via SMS messages.
However, some of the identified vulnerabilities are not in the device itself but in the associated infrastructure such as MiCODUS's cloud API server and mobile application, which means the company's other GPS tracking devices could also be affected. MiCODUS also makes several GPS trackers intended for other types of assets and for personal use.
The MV720 trackers communicate with a MiCODUS server over a custom unencrypted TCP protocol on port 7700. The same server also hosts the web-based interface that users can log into to manage their GPS trackers as well as an API that the companion mobile app uses.
While the web interface uses HTTPS, the API communication is over plain HTTP, opening the door to man-in-the-middle attacks if an attacker can position themselves in the network path between a user's mobile app and the API server.
Authentication bypass and full device takeover
The lack of encryption on the API server allowed the researchers to easily analyse the traffic sent by the mobile app. This led to the discovery that following a successful authentication, the server sets the same session key and hardcoded access token for all users. In other words, an attacker could easily craft requests to the API to hijack a GPS tracker that doesn't belong to them.
This vulnerability is made worse by the fact that the GPS trackers seem to have incremental IDs in the system, so they're easy to enumerate. The API allows sending commands to GPS trackers as if they were sent via SMS from the owner's phone number.
This includes the ability to access location information, routes, geofences, cutting off fuel to vehicles and disabling alarms. This vulnerability, which is tracked as CVE-2022-2107 and is rated critical, leads to full control over the tracker's features.
It gets worse. The GPS trackers come with a default password of 123456 and there's no obligation or warning for the users to change it.
In fact, the researchers tested 1,000 GPS trackers through the web interface just by incrementing the ID of the tracker they owned and 945 of them still had the default password. While this issue was not assigned a CVE, the researchers believe it's a serious vulnerability.
Even if the password is changed, the device is not secure because some commands work without a password. One of those commands is called adminip and can be used to change the API endpoint setting on the GPS tracker -- in other words, the IP of the control server.
An attacker can instruct a GPS tracker to contact their own server instead and then proxy the communication to the real server, essentially achieving a man-in-the-middle position. This issue is tracked as CVE-2022-2141 and is also rated critical.
Furthermore, the researchers discovered a reflected cross-site scripting (XSS) vulnerability in the web interface (CVE-2022-2199) that could allow attackers to hijack user sessions by tricking them to open specifically crafted links, as well as two insecure direct object reference issues (CVE-2022-34150 and CVE-2022-33944) that could allow an authenticated user to access information from other accounts by altering certain parameters in their requests.
MiCODUS claims it has 1.5 million GPS tracking devices deployed across 420,000 customers worldwide, but it's unclear how many of those are MV720 or are used for fleet control. The BitSight analysed DNS traffic data to the MiCODUS control server and observed an average of 7,488 connections per day to the service on TCP port 7700 from 525,856 unique IP addresses.
Since these are cellular-enabled devices with a SIM card, their IP address could change often, so the number of unique IP addresses does not necessarily correlate with the number of unique devices contacting the server.
However, based on an analysis of the data, the researchers believe the countries with the highest number of unique devices are Russia, Morocco, Chile, Brazil, Uzbekistan, South Africa, Ukraine, Poland, Italy and Mexico. In North America, Mexico is followed by the U.S in highest number of deployed devices.
By sector, the top ten breakdown for users is government, business services, manufacturing, finance, energy/resources, utilities, consumer goods, retail, education and transportation.
Among users the researchers managed to identify a Fortune 50 energy company, a nuclear power plant operator; a national law enforcement organisation in Western Europe, a major national military in South America, a Fortune 50 technology company, a Fortune 50 aerospace company, a national government in Western Europe, a Fortune 50 professional services company, a national government in the Middle East, a national military in Eastern Europe, a national government ministry in North America, and a Fortune 50 manufacturing conglomerate.
"Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone," the researchers said.
"Having a centralised dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organisations.
Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. BitSight recommends that individuals and organisations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available."