Vehicle Tracker Vulnerabilities

GPS Tracker in vehicles allow for User Impersonation and Remote Execution of Commands

GPS trackers found in popular brand of vehicle has been rendered essentially unusable after a hard-coded password has been discovered in the GPS tracker. Security firm Bitsight has cracked open the MiCODUS MV720 vehicle GPS tracker and found six separate vulnerabilities that have high security impact, out of which four has the potential of allowing remote control to the device.

The severe impact of this vulnerability is the hard-coded password that allows anyone aware of the credentials to log into the web server, impersonate as the user and send malicious commands over to the target GPS unit that legitimate users can normally send over through mobile.

MiCODUS MV720 GPS trackers are retailed at $20 which are used across various vehicles related to military, infrastructure, and technology. The use of these trackers allows an authorized user to track the location of the vehicle remotely in real time via phone. It also includes cutting off the fuel and disabling the vehicle in the event of it being stolen.

With the hard-coded password that has been discovered by Bitsight, it makes it possible for vehicles with remote ability to be accessible to anyone with an internet connection. After discovering the vulnerability, Bitsight has shared the information with the Cybersecurity and Infrastructure Security Agency (CISA) and had the group recommend the consumers to immediately cease the use of MiCODUS MV720. It is possible that these flaws can extent to other MiCODUS vehicle GPS tracker models. Hard-coded password makes the unit too exploitable to use, but removal may be tricky.