A handful of vulnerabilities, some critical, in MiCODUS GPS tracker gadgets could make it possible for criminals to disrupt fleet functions and spy on routes, or even remotely management or slice off gas to autos, in accordance to CISA. And you will find no fixes for these stability flaws.
Two of the bugs acquired a 9.8 out of 10 CVSS severity score. They can be exploited to deliver commands to a tracker product to execute with no meaningful authentication the others involve some diploma of remote exploitation.
“Profitable exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting obtain to site, routes, gasoline cutoff commands, and the disarming of many features (e.g., alarms),” the US government agency warned in an advisory posted Tuesday.
As of Monday, the gadget manufacturer, centered in China, experienced not offered any updates or patches to resolve the flaws, CISA extra. The company also advised fleet proprietors and operators take “defensive steps” to decrease risk.
This seemingly consists of ensuring, wherever achievable, that these GPS tracers are not available from the net or networks that miscreants can get to. And when remote regulate is demanded, CISA endorses using VPNs or other protected methods to control access. That appears like generic CISA assistance so potentially a serious workaround would be: halt applying the GPS units altogether.
Bitsight protection scientists Pedro Umbelino, Dan Dahlberg and Jacob Olcott discovered the six vulnerabilities and noted them to CISA right after hoping because September 2021 to share the findings with MiCODUS.
“After fairly exhausting all selections to access MiCODUS, BitSight and CISA determined that these vulnerabilities warrant general public disclosure,” in accordance to a BitSight report [PDF] posted on Tuesday.
About 1.5 million buyers and businesses use the GPS trackers, the scientists explained. This spans 169 international locations and features government businesses, navy, law enforcement, aerospace, energy, engineering, producing and shipping organizations, they added.
“The exploitation of these vulnerabilities could have disastrous and even lifetime-threatening implications,” the report authors claimed, incorporating:
For its analysis, the BitSight group employed the MV720 model, which it said is the company’s minimum highly-priced layout with gas reduce-off functionality. The unit is a mobile-enabled tracker that employs a SIM card to transmit position and location updates to supporting servers and receive SMS commands.
Here is a rundown of the vulnerabilities:
CVE-2022-2107 is a challenging-coded password vuln in the MiCODUS API server. It acquired a 9.8 CVSS score and enables a remote attacker to use a hardcoded learn password to log into the net server and mail SMS commands to a target’s GPS tracker.
These would search like they are coming from the GPS owner’s cellular selection, and could allow for a miscreant to attain handle of any tracker, accessibility and keep track of automobile area in authentic time, cut off gasoline and disarm alarms or other functions furnished by the gadget.
CVE-2022-2141, because of to damaged authentication, also received a 9.8 CVSS rating. This flaw could let an attacker to ship SMS commands to the tracking product without having authentication.
A default password flaw, which is thorough in BitSight’s report but wasn’t assigned a CVE by CISA, nevertheless “represents a significant vulnerability,” in accordance to the safety vendor. There’s no necessary rule that users change the default password, which ships as “123456,” on the units, and this can make it quite effortless for criminals to guess or presume a tracker’s password.
CVE-2022-2199, a cross-web page scripting vulnerability, exists in the primary internet server and could let an attacker to fully compromise a device by tricking its user into earning a ask for — for example, by sending a malicious url in an electronic mail, tweet, or other concept. It gained a 7.5 CVSS rating
The major website server has an insecure immediate object reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter machine IDs. This suggests they settle for arbitrary machine IDs devoid of further verification.
“In this scenario, it is probable to access info from any Machine ID in the server database, irrespective of the logged-in consumer. Extra information capable of escalating an assault could be available, this sort of as license plate numbers, SIM card quantities, cellular quantities,” BitSight spelled out. It acquired a 7.1 CVSS score.
And lastly, CVE-2022-33944 is yet another insecure direct object reference vuln on the main website server. This flaw, on the endpoint and Publish parameter “Device ID,” accepts arbitrary device IDs, and obtained a severity score of 6.5.
“BitSight recommends that men and women and corporations at present using MiCODUS MV720 GPS tracking devices disable these gadgets right until a fix is built obtainable,” the report concluded. “Organizations making use of any MiCODUS GPS tracker, irrespective of the product, should really be alerted to insecurity relating to its technique architecture, which could area any machine at possibility.” ®