Security company BitSight and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert for MiCODUS MV720, a popular GPS tracker used across a host of industries. The Chinese-made GPS tracker has six vulnerabilities with a CVSS score of as much as 9.8, indicating a severe risk of exploitation.
BitSight, a Boston-based company, found six severe vulnerabilities in MiCODUS, a well-known GPS tracker made in China. The company contacted MiCODUS three times between September 9, 2021, and January 14, 2022, but the latter refused BitSight’s request to speak with its security or engineering teams.
Further, BitSight said it shared its findings with MiCODUS, as is the norm under responsible vulnerability disclosure practices, but was disregarded by the Shenzhen-based company.
The cybersecurity company then disclosed the six vulnerabilities to CISA on January 14, 2022, which assessed that they are remotely exploitable and have a low attack complexity. CISA also contacted MiCODUS earlier this year but to no avail.
MiCODUS claims to have 420,000 customers who have deployed 1.5 million of its devices. The model in question, MiCODUS MV720, costs between $20Opens a new window to $55Opens a new window on eBay. It is unclear how many of these vulnerable MV720s have been deployed.
Through MV720, MiCODUS provides remote management, fleet and asset tracking, and vertical-specific application services. It is cellular-enabled and offers fuel cut-off functionality. It is used across several sectors including aerospace, energy, engineering, manufacturing, shipping, etc.
Speaking with Spiceworks, Ellen Boehm, SVP of IoT Strategy & Operations at Keyfactor and Roger Grimes, defense evangelist at KnowBe4, highlighted that security risks are inherent to IoT devices.
â€œThis example highlights many of the risks with current and future IoT devices. IoT devices are full of vulnerabilities and this will not change going into the future no matter how many of these stories come out. One of the big problems of any IoT device that tracks someone is privacy. Any approved privacy intrusion can be abused by unauthorized persons,â€ Grimes told Spiceworks.
â€œIt’s an inherent risk to all IoT devices. Put a web camera in your home for security purposes, and you can’t be assured it won’t track you during times when you thought you had privacy. Your cell phone can be compromised to record your conversations. Your laptop’s webcam can be turned on to record you and your meetings. And your car’s GPS tracking device can be used to find specific employees and disable vehicles.Â
BitSight detailed only five of the six vulnerabilities in its report, all with varying levels of threats. They are:Â
â€¢ Gain complete control of any GPS tracker;
â€¢ Access location information, routes, geofences, track locations in real-time;
â€¢ Cut off fuel to vehicles; and/or
â€¢ Disarm alarms and other features.
|CVE-2022-2141Opens a new window||9.8||Broken Authentication||
Gain full control of traffic
â€¢ Perform any action within the application the user can perform;
â€¢ View any information the user can view;
â€¢ Modify any information the user can modify; and/or
â€¢ Initiate interactions with other application users
|CVE-2022-34150Opens a new window||7.1||Insecure Direct Object Reference||
Unauthenticated data access from any Device ID in the server database, regardless of the logged-in user
|6.5||Insecure Direct Object Reference||
Gain access to device activity such as GPS-referenced locations
MiCODUS MV720 comes with a hardcoded password, â€˜123456.’ What’s more, is that the GPS device doesn’t even prompt the user to change it. Boehm shared his thoughts on this particular design flaw. â€œIt is always recommended to use unique credentials per each device that is connecting to an IoT system,â€ he told Spiceworks.
â€œHard coding is never a good thing, and causes weak points that can (and will be) eventually broken. Certificate-based authentication is always a best practice, where proper verification occurs before any data is transmitted through a secure channel. The backend server that receives requests from the IoT devices should not accept arbitrary identities without verification,â€ Boehm added.
In its report, BitSight noted 2,354,603 (2.3 million+) connections to the MiCODUS server originating from 169 countries but added that their assessment of the number of connected devices is inconclusive. Those that were identified include a Fortune 50 energy company, a national military in South America, a national government in Western Europe, a national law enforcement organization in Western Europe, and a nuclear power plant operator.
Who is Impacted by MiCODUS MV720 Vulnerabilities?
The top 10 countries with the highest number of MiCODUS users are Mexico, Russia, Uzbekistan, Spain, Brazil, Poland, Chile, Morocco, South Africa, and Ukraine. The top 10 countries, going by the most number of devices, are Russia, Morocco, Chile, South Africa, Ukraine, Poland, Brazil, Uzbekistan, Italy, and Mexico.
The global heatmap of in-use devices is given below:
Total Number of Connections from Unique IP Addresses to the MiCODUS Server | Source: BitSightOpens a new window
BitSight further provided a continent-wise breakdown of the industries using vulnerable devices. Most North American organizations using MiCODUS are engaged in manufacturing. Those in South America are mostly government institutions, whereas no single largest European sector used MiCODUS devices.
How to Fix MiCODUS MV720 Vulnerabilities?
Well, the user can’t until the vendor rolls out patches. Besides, Boehm and Grimes pointed out the difficulty in patching IoT devices. Boehm said, â€œIf you think it’s hard to patch regular software, it’s ten times as hard to patch IoT devices. I’m purely guessing here, but I’d speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them. Hackers love those odds.â€
This is why BitSight has recommended all affected parties to disable all MiCODUS MV720 GPS tracking devices. â€œIoT devices are particularly hard to patch. They should all be auto-patching, but most aren’t. Most require end-user interaction, and many times a physical connection.â€