A GPS tracker that has been sold to customers across 169 countries and has been installed in more than 1.5 million devices has been revealed to have numerous critical cyber security vulnerabilities that could allow bad actors to remotely hack a vehicle’s system.
These critical cyber security issues in the MiCODUS MV720 GPS tracking device were first discovered by cyber security startup BitSight. Following the discovery of the vulnerabilities, BitSight informed the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The CISA confirmed that “successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands and the disarming of various features (e.g., alarms)”.
In a report on the vulnerabilities, BitSight said it had found MiCODUS devices were being used by a range of organizations including “a Fortune 50 energy company, a national military in South America, a national government and a national law enforcement organization in Western Europe, and a nuclear power plant operator”. It was also revealed that MiCODUS has a global customer base of 420,000, with 1.5 million devices sold. However, BitSight did note that it was unable to determine the number of MiCODUS MV720 units currently in use globally, as well as the number of MiCODUS devices used for personal or businesses uses.
The CISA reported MiCODUS had not yet attempted to mitigate the vulnerabilities by providing updates or patches to the tracker despite being warned of the severity of these issues.
The US Cybersecurity and Infrastructure Security Agency recommended the following defensive measures to minimize the risk of exploitation to the vulnerabilities:
- Ensure all control system devices and systems are not accessible from the Internet, and minimize their network exposure.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- Use enhanced security measures, for example virtual private networks (VPNs), if remote access is required. It should be recognized, however, that VPNs may also have vulnerabilities and are only as secure as their connected devices.