A handful of vulnerabilities, some crucial, in MiCODUS GPS tracker units could allow criminals to disrupt fleet operations and spy on routes, or even remotely command or cut off gasoline to motor vehicles, according to CISA. And there is certainly no fixes for these safety flaws.
Two of the bugs been given a 9.8 out of 10 CVSS severity score. They can be exploited to ship instructions to a tracker unit to execute with no significant authentication the some others require some degree of distant exploitation.
“Successful exploitation of these vulnerabilities could let an attacker management above any MV720 GPS tracker, granting access to spot, routes, gasoline cutoff instructions, and the disarming of several characteristics (e.g., alarms),” the US governing administration company warned in an advisory posted Tuesday.
As of Monday, the gadget producer, primarily based in China, experienced not presented any updates or patches to deal with the flaws, CISA included. The company also encouraged fleet owners and operators get “defensive actions” to decrease threat.
This apparently consists of ensuring, wherever achievable, that these GPS tracers are not accessible from the net or networks that miscreants can get to. And when distant command is demanded, CISA suggests making use of VPNs or other protected procedures to regulate obtain. That sounds like generic CISA information so potentially a true workaround would be: end applying the GPS devices entirely.
Bitsight security scientists Pedro Umbelino, Dan Dahlberg and Jacob Olcott found the 6 vulnerabilities and noted them to CISA following hoping since September 2021 to share the findings with MiCODUS.
“Soon after moderately exhausting all options to reach MiCODUS, BitSight and CISA identified that these vulnerabilities warrant community disclosure,” in accordance to a BitSight report [PDF] revealed on Tuesday.
About 1.5 million consumers and corporations use the GPS trackers, the scientists reported. This spans 169 international locations and involves authorities businesses, military, regulation enforcement, aerospace, electricity, engineering, production and transport companies, they additional.
“The exploitation of these vulnerabilities could have disastrous and even life-threatening implications,” the report authors claimed, including:
For its research, the BitSight team used the MV720 model, which it mentioned is the company’s the very least highly-priced structure with gasoline minimize-off operation. The system is a cellular-enabled tracker that uses a SIM card to transmit position and area updates to supporting servers and get SMS commands.
Here is a rundown of the vulnerabilities:
CVE-2022-2107 is a hard-coded password vuln in the MiCODUS API server. It received a 9.8 CVSS score and permits a distant attacker to use a hardcoded master password to log into the world-wide-web server and ship SMS commands to a target’s GPS tracker.
These would appear like they are coming from the GPS owner’s cellular amount, and could permit a miscreant to attain command of any tracker, obtain and keep track of motor vehicle area in actual time, cut off gasoline and disarm alarms or other attributes presented by the gadget.
CVE-2022-2141, due to broken authentication, also been given a 9.8 CVSS rating. This flaw could allow an attacker to send SMS commands to the monitoring product with no authentication.
A default password flaw, which is comprehensive in BitSight’s report but was not assigned a CVE by CISA, nonetheless “signifies a extreme vulnerability,” according to the protection vendor. You can find no mandatory rule that end users change the default password, which ships as “123456,” on the equipment, and this helps make it rather simple for criminals to guess or suppose a tracker’s password.
CVE-2022-2199, a cross-website scripting vulnerability, exists in the most important world-wide-web server and could permit an attacker to completely compromise a device by tricking its person into earning a ask for — for instance, by sending a destructive link in an electronic mail, tweet, or other information. It gained a 7.5 CVSS score
The key world wide web server has an insecure direct object reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter machine IDs. This means they take arbitrary device IDs without having further more verification.
“In this situation, it is possible to accessibility information from any Product ID in the server databases, irrespective of the logged-in person. Extra details able of escalating an assault could be obtainable, these types of as license plate quantities, SIM card quantities, mobile numbers,” BitSight discussed. It obtained a 7.1 CVSS rating.
And lastly, CVE-2022-33944 is one more insecure immediate item reference vuln on the most important web server. This flaw, on the endpoint and Put up parameter “Device ID,” accepts arbitrary machine IDs, and been given a severity score of 6.5.
“BitSight endorses that individuals and organizations presently using MiCODUS MV720 GPS tracking gadgets disable these devices until finally a repair is created readily available,” the report concluded. “Businesses employing any MiCODUS GPS tracker, no matter of the product, should be alerted to insecurity regarding its method architecture, which may perhaps place any system at risk.” ®