A handful of vulnerabilities, some critical, in MiCODUS GPS tracker products could enable criminals to disrupt fleet functions and spy on routes, or even remotely management or cut off gas to motor vehicles, according to CISA. And there’s no fixes for these protection flaws.
Two of the bugs obtained a 9.8 out of 10 CVSS severity score. They can be exploited to send instructions to a tracker unit to execute with no significant authentication the other folks involve some degree of distant exploitation.
“Thriving exploitation of these vulnerabilities could allow an attacker manage over any MV720 GPS tracker, granting entry to location, routes, gas cutoff commands, and the disarming of many characteristics (e.g., alarms),” the US govt company warned in an advisory posted Tuesday.
As of Monday, the gadget maker, dependent in China, had not provided any updates or patches to resolve the flaws, CISA extra. The agency also recommended fleet owners and operators take “defensive measures” to limit possibility.
This seemingly incorporates guaranteeing, the place achievable, that these GPS tracers are not obtainable from the world-wide-web or networks that miscreants can get to. And when distant handle is demanded, CISA endorses using VPNs or other secure methods to management obtain. That appears like generic CISA assistance so probably a true workaround would be: halt making use of the GPS units completely.
Bitsight stability scientists Pedro Umbelino, Dan Dahlberg and Jacob Olcott identified the six vulnerabilities and noted them to CISA immediately after striving considering that September 2021 to share the results with MiCODUS.
“Right after fairly exhausting all options to reach MiCODUS, BitSight and CISA identified that these vulnerabilities warrant general public disclosure,” in accordance to a BitSight report [PDF] released on Tuesday.
About 1.5 million shoppers and corporations use the GPS trackers, the researchers mentioned. This spans 169 nations and includes government organizations, military, law enforcement, aerospace, vitality, engineering, manufacturing and delivery providers, they added.
“The exploitation of these vulnerabilities could have disastrous and even lifetime-threatening implications,” the report authors claimed, including:
For its investigate, the BitSight group applied the MV720 model, which it mentioned is the company’s least pricey layout with gas lower-off operation. The product is a mobile-enabled tracker that utilizes a SIM card to transmit standing and site updates to supporting servers and acquire SMS commands.
Here is a rundown of the vulnerabilities:
CVE-2022-2107 is a challenging-coded password vuln in the MiCODUS API server. It obtained a 9.8 CVSS rating and enables a remote attacker to use a hardcoded master password to log into the internet server and mail SMS instructions to a target’s GPS tracker.
These would seem like they are coming from the GPS owner’s mobile variety, and could let a miscreant to get manage of any tracker, accessibility and keep track of auto site in actual time, reduce off gasoline and disarm alarms or other characteristics delivered by the gadget.
CVE-2022-2141, because of to broken authentication, also been given a 9.8 CVSS score. This flaw could permit an attacker to ship SMS instructions to the monitoring unit without having authentication.
A default password flaw, which is in depth in BitSight’s report but was not assigned a CVE by CISA, nonetheless “represents a significant vulnerability,” according to the safety vendor. There is no required rule that consumers improve the default password, which ships as “123456,” on the units, and this helps make it pretty uncomplicated for criminals to guess or presume a tracker’s password.
CVE-2022-2199, a cross-site scripting vulnerability, exists in the major website server and could let an attacker to completely compromise a device by tricking its user into creating a request — for instance, by sending a malicious backlink in an e mail, tweet, or other concept. It obtained a 7.5 CVSS ranking
The key world-wide-web server has an insecure direct object reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter unit IDs. This indicates they settle for arbitrary device IDs without further more verification.
“In this circumstance, it is doable to entry data from any Device ID in the server database, no matter of the logged-in consumer. More information and facts able of escalating an attack could be readily available, such as license plate quantities, SIM card quantities, mobile figures,” BitSight stated. It been given a 7.1 CVSS score.
And finally, CVE-2022-33944 is yet another insecure direct object reference vuln on the primary world-wide-web server. This flaw, on the endpoint and Write-up parameter “Machine ID,” accepts arbitrary gadget IDs, and received a severity rating of 6.5.
“BitSight suggests that persons and corporations at the moment working with MiCODUS MV720 GPS monitoring products disable these products right until a resolve is manufactured offered,” the report concluded. “Organizations applying any MiCODUS GPS tracker, irrespective of the product, really should be alerted to insecurity with regards to its process architecture, which could put any machine at hazard.” ®