Security flaws in GPS trackers put global fleets at risk • The Register

A handful of vulnerabilities, some vital, in MiCODUS GPS tracker gadgets could allow criminals to disrupt fleet operations and spy on routes, or even remotely control or minimize off fuel to cars, in accordance to CISA. And there is certainly no fixes for these protection flaws.

Two of the bugs gained a 9.8 out of 10 CVSS severity rating. They can be exploited to ship commands to a tracker device to execute with no meaningful authentication the other people involve some degree of distant exploitation.

“Profitable exploitation of these vulnerabilities could permit an attacker management about any MV720 GPS tracker, granting entry to site, routes, gasoline cutoff commands, and the disarming of numerous attributes (e.g., alarms),” the US government agency warned in an advisory posted Tuesday.

As of Monday, the gadget company, dependent in China, experienced not supplied any updates or patches to repair the flaws, CISA extra. The agency also proposed fleet house owners and operators consider “defensive actions” to lower danger.

This evidently contains making sure, where by achievable, that these GPS tracers are not accessible from the web or networks that miscreants can get to. And when remote command is necessary, CISA suggests working with VPNs or other protected techniques to handle accessibility. That appears like generic CISA guidance so most likely a genuine workaround would be: quit making use of the GPS units altogether.

Bitsight security researchers Pedro Umbelino, Dan Dahlberg and Jacob Olcott uncovered the 6 vulnerabilities and described them to CISA following striving due to the fact September 2021 to share the conclusions with MiCODUS. 

“Soon after moderately exhausting all choices to access MiCODUS, BitSight and CISA determined that these vulnerabilities warrant community disclosure,” in accordance to a BitSight report [PDF] published on Tuesday.

About 1.5 million consumers and businesses use the GPS trackers, the researchers explained. This spans 169 countries and features government companies, armed service, law enforcement, aerospace, strength, engineering, manufacturing and delivery firms, they added.

“The exploitation of these vulnerabilities could have disastrous and even lifetime-threatening implications,” the report authors claimed, adding:

For its investigate, the BitSight group used the MV720 model, which it claimed is the firm’s minimum expensive structure with gasoline reduce-off operation. The gadget is a cellular-enabled tracker that works by using a SIM card to transmit position and site updates to supporting servers and get SMS commands.

Here is a rundown of the vulnerabilities:

CVE-2022-2107 is a challenging-coded password vuln in the MiCODUS API server. It been given a 9.8 CVSS rating and permits a remote attacker to use a hardcoded master password to log into the net server and deliver SMS instructions to a target’s GPS tracker. 

These would glance like they are coming from the GPS owner’s cellular selection, and could allow for a miscreant to achieve regulate of any tracker, entry and monitor vehicle spot in authentic time, cut off fuel and disarm alarms or other attributes delivered by the gadget.

CVE-2022-2141, because of to broken authentication, also acquired a 9.8 CVSS rating. This flaw could enable an attacker to deliver SMS instructions to the tracking system without the need of authentication.

A default password flaw, which is in-depth in BitSight’s report but wasn’t assigned a CVE by CISA, nevertheless “represents a significant vulnerability,” in accordance to the protection vendor. There’s no required rule that users alter the default password, which ships as “123456,” on the units, and this can make it really easy for criminals to guess or assume a tracker’s password.

CVE-2022-2199, a cross-web site scripting vulnerability, exists in the most important internet server and could let an attacker to fully compromise a device by tricking its consumer into earning a request — for instance, by sending a malicious url in an email, tweet, or other message. It been given a 7.5 CVSS ranking

The most important internet server has an insecure direct item reference vulnerability, tracked as CVE-2022-34150, on endpoint and parameter product IDs. This usually means they acknowledge arbitrary system IDs without further verification.

“In this circumstance, it is doable to access knowledge from any System ID in the server databases, regardless of the logged-in person. Extra data capable of escalating an attack could be obtainable, these as license plate quantities, SIM card figures, cell quantities,” BitSight spelled out. It acquired a 7.1 CVSS ranking.

And last but not least, CVE-2022-33944 is one more insecure immediate item reference vuln on the principal net server. This flaw, on the endpoint and Publish parameter “Unit ID,” accepts arbitrary machine IDs, and obtained a severity rating of 6.5.

“BitSight suggests that individuals and organizations currently making use of MiCODUS MV720 GPS tracking gadgets disable these equipment right up until a fix is produced offered,” the report concluded. “Businesses employing any MiCODUS GPS tracker, no matter of the design, must be alerted to insecurity pertaining to its system architecture, which may place any product at possibility.” ®