Critical Vulnerabilities in GPS Trackers

This is a dangerous vulnerability:

An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after trying for months to privately engage with the manufacturer. As of the time of writing, all of the vulnerabilities remain unpatched and unmitigated.

These are computers and computer vulnerabilities, but because the computers are attached to cars, the vulnerabilities become potentially life-threatening. CISA writes:

These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

I wouldn’t have buried “vehicle control” in the middle of that sentence.

Tags: , , ,

Posted on July 21, 2022 at 8:36 AM14 Comments

Comments

DaveX July 21, 2022 9:23 AM

From a sales website:

“MICODUS is a brand store. Its original intention was: Move world & stay control.

With the highest quality and most professional service, we want everyone to remember MICODUS;

ATN July 21, 2022 9:28 AM

Probably the best way to make money from the vulnerability is to sell to people stealing car/motorcycle, so that the vehicle cannot be localised after being stolen, or be localised elsewhere than where it is.

Clive Robinson July 21, 2022 10:20 AM

As far as I can tell from,

https://theslateboard.net/product/mini-gps-tracker-car-tracker-micodus-mv720-relay-hidden-design-cut-off-fuel-car-gps-locator-10-40v-80mah-vibrate-alert-free-app/

the device looks like an “auto relay” and has a four wire connection to the vehicle.

Two wires for “power” and a loop through contact pair, that put a switch in line with the “oil pump” (I’m assuming they mean fuel pump).

The “cut-off” to the oil pump is not a simple on/off switch, apparently it only does that if the vehicle is moving less than 20mph otherwise it uses an interuption cycle to bring the vehicle speed down in a controled manner.

Thus the control over the vehicle is quite limited.

As far as I can tell the “alarms” etc are back via the GSM radio unit to the Chinese Web site not the traditional alarms onboard the vehicle.

The use of GSM and GPS in the actual unit, means that adding it to a vehicle will need to be done in a thoughtful manner otherwise it will either not work or be unreliable.

This in effect makes the device much easy to find if someone knows the vehical type sufficiently well to know where the fuel pump wiring is in the vehical harness and where a signal will be reasonable within the vehical body.

Ted July 21, 2022 1:05 PM

BitSight has an awesome report showing the geographic distribution of this product. From page 19:

In our data set, we detected connections from 169 countries. Of them, 127 displayed connections to the MiCODUS server on all ports (web/ mobile/tracker). Below is a global heatmap, illustrating total connections from unique IP addresses to the MiCODUS server:

It appears that most users/devices are in Mexico, Russia, Uzbekistan, Brazil, Poland, Ukraine, Chile, Morocco… but it’s still used worldwide.

The report also shares a non-exhaustive list of risks, including: injury or loss of life, individual or fleet-wide ransomware, surveillance and tracking (personal, business, political), etc. This is a very notable intersection of consumer products.

https://www.bitsight.com/sites/default/files/2022-07/MiCODUS-GPS-Report-Final.pdf

Ted July 21, 2022 1:10 PM

@Clive

Nice find on product details. What do you make of this?

About Network
GSM band:850/900/1800/1900Mhz;
The device can be used normally in your country; Except for these countries:
USA, Australia, New Zealand, Korea, Japan, Canada, Singapore, China Taiwan

scot alexander July 21, 2022 1:11 PM

What’s the difference between a self-driving car and a really, really low level cruise missile?

lurker July 21, 2022 1:11 PM

This appears to be an after-market device. Vehicle makers would have no concerns about it, other than voiding your warranty.

Sure, blogs like Ars and Schneier can say “Oi, this is junk, possibly dangerous junk.” But that can’t stop junk being made, sold, bought, and used by people who don’t know or care if it is junk or dangerous.

lurker July 21, 2022 1:21 PM

@Ted
Those exception countries appear to be ones where regulatory approval is necessary (and expensive) before a device may connect to the cellular network.

RapidGeek July 21, 2022 2:09 PM

@Ted

The accepted countries are almost all ones which Russia claims to be theirs. The exception countries are either American allies or countries China claims to be theirs.

Seems interesting that this Chinese company cannot use their product in China. Perhaps this is a shell company for China to monitor global trade….

Frank B. July 21, 2022 2:20 PM

You mean to say that trading away our own citizens security in order to buy up mass swathes of cheap chinese garbage isn’t working out as planned for the western world?

What a pity.

Seems to be working out well for china though….who could have seen it coming?

SpaceLifeForm July 21, 2022 2:37 PM

@ scot alexander

What’s the difference between a self-driving car and a really, really low level cruise missile?

Wheels.

‘https://www.cnn.com/2022/07/03/us/michigan-air-show-stunt-truck-crash/index.html

lurker July 21, 2022 6:10 PM

@FrankB, SLF
That cnn link rilly rilly wanted me to sign up to find out “What’s Happening in China.”

lurker July 21, 2022 6:18 PM

@Clive Robinson
Those “Upgrade” explanatory notes in the ad read like the tech’s recommendations from the prototype… Use your clients as testers seems to be the done thing nowadays.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.