According to new research, security vulnerabilities in a popular China-built GPS vehicle tracker could easily be exploited to track and remotely disable the engines of at least a million vehicles around the world. Even worse, the company that makes the GPS trackers has made no effort to fix them.

Cybersecurity startup BitSight said it had found six vulnerabilities in the MV720, a wired GPS tracker built by Micodus, a Shenzhen-based electronics manufacturer, which claims there are more than 1.5 million GPS trackers in use today at more than 420,000 customers worldwide, including companies with vehicle fleets, law enforcement agencies, militaries and national governments. BitSight said it also found the GPS trackers used by Fortune 50 companies and a nuclear power plant operator.

But the security flaws can be easily and remotely exploited to track any vehicle in real time, access previous routes and shut down the engines of moving vehicles.

Pedro Umbelino, principal security researcher at BitSight who wrote the report seen by australiabusinessblog.com before publication, said the vulnerabilities “are not difficult to exploit” and that the nature of the flaws “raises significant questions about the vulnerability of other models”. the bugs may not be limited to the one Micodus GPS tracker model.

Given the severity of the bugs and the lack of fixes, both BitSight and CISA, the US government’s cybersecurity consultancy, warned vehicle owners to remove the devices as soon as possible to reduce the risk.

The six vulnerabilities vary in severity and exploitability, but all but one are “high” or greater. Some bugs are in the GPS tracker itself, others in the web dashboard that customers use to track their fleet.

The most serious flaw is a hard-coded password that can be used to take full control of any GPS tracker, access the real-time location of vehicles and past routes, and shut off fuel to vehicles remotely. Since the password is embedded directly into the code of the Android app, anyone can dig into the code and find it.

A map with red dots representing a MiCODUS user. Image Credits: BitSight/included.

The investigation also found that the GPS tracker comes with a default password of “123456”, which allows anyone to access GPS trackers who have not changed their device’s password. BitSight found that 95% of a sample of 1,000 tested devices were accessible with an unchanged default password, likely because device owners aren’t prompted to change the device’s password during setup.

Two of the remaining vulnerabilities, known as insecure direct object credentials — or IDORs — allow a logged-in user to access data from a vulnerable GPS tracker that doesn’t belong to them, and generate spreadsheets showing device activity, such as past locations. and routes.

The researchers said they found vulnerable Micodus GPS trackers around the world, with the highest concentration of devices in Ukraine, Russia, Uzbekistan and Brazil, as well as across Europe, including Spain, Poland, Germany and France. Kevin Long, a spokesperson for BitSight, told australiabusinessblog.com that it saw a smaller percentage of devices in the United States, but it’s likely “thousands” of devices.

BitSight CEO Stephen Harvey said the vulnerabilities could lead to “disastrous consequences” for affected vehicle owners. The security firm first contacted Micodus in September 2021, but no attempts were made to fix the vulnerabilities prior to the report’s publication. Security researchers typically give companies three months to fix vulnerabilities before they are made public, giving developers time to remediate before the details of the vulnerabilities are published.

Micodus did not respond to australiabusinessblog.com’s request for comment sent before publication.