July 21, 2022
Two Days ago, CISA released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System (GPS) Tracker. According to the Advisory, Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker. The systems are a Vehicle Aftermarket Product and are usually installed with a GPS Management System.
The MV720 is a hardwired GPS Tracker built by MiCODUS, a Shenzhen-based OEM Electronics Maker, which claims more than 1.5 million GPS Trackers in use today across more than 420,000 customers worldwide, including companies with fleets of vehicles, law enforcement agencies, militaries, and national governments. They connect to the Internet via Cellular Modem Usually.
According to the Website Trackyourtruck.com, a hardwired GPS tracker refers to tracking systems that are hard-wired into the vehicle. They are difficult to tamper with, and they are wired to the vehicle’s systems.
There are two types of GPS Trackers on the Market: Plug-in and Hard-Wired or Wired. Plug-in GPS’ connect via a Console Port on the Vehicle… Think something like All-State Insurance “Drivewise,” where All-State Insurance Tracks your Movements, You Lose Your Privacy and All-State Makes More Money.
Now the worst thing about this is that these GPS Trackers are cheap – less than $100 Bucks a Piece – which makes them ripe for being made by a Chinese OEM (Original Equipment Manufacturer), MiCODUS being one of them. They sell either as part of a bigger tracking system or as a single use with an applet that tracks. They could be sold on Amazon. It is also hard to identify, whether you are using a vulnerable device, because they are an OEM.
The Trackers can operate via a battery and antenna to send alerts should tampering occur. Wired devices, unlike plug-ins GPS Trackers, have the option to remotely disable the vehicle’s ignition if there is a safety or service violation, impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.
The MV720 has a total of six software vulnerabilities that could cause massive trouble for a driver if exploited. Probably the worst vulnerability of the bunch (tracked as CVE-2022-2107) is a hardcoded password that is used by all MiCODUS GPS trackers.
According to the CISA, they encourage users and technicians to review ICS Advisory ICSA-22-200-01 for technical details and mitigations and the Bitsight Report: Critical Vulnerabilities in Widely Used Vehicle GPS Tracker for additional information.
1