GPS Tracker in vehicles allow for User Impersonation and Remote Execution of Commands
GPS trackers found in popular brand of vehicle has been rendered essentially unusable after a hard-coded password has been discovered in the GPS tracker. Security firm Bitsight has cracked open the MiCODUS MV720 vehicle GPS tracker and found six separate vulnerabilities that have high security impact, out of which four has the potential of allowing remote control to the device.
The severe impact of this vulnerability is the hard-coded password that allows anyone aware of the credentials to log into the web server, impersonate as the user and send malicious commands over to the target GPS unit that legitimate users can normally send over through mobile.
MiCODUS MV720 GPS trackers are retailed at $20 which are used across various vehicles related to military, infrastructure, and technology. The use of these trackers allows an authorized user to track the location of the vehicle remotely in real time via phone. It also includes cutting off the fuel and disabling the vehicle in the event of it being stolen.
With the hard-coded password that has been discovered by Bitsight, it makes it possible for vehicles with remote ability to be accessible to anyone with an internet connection. After discovering the vulnerability, Bitsight has shared the information with the Cybersecurity and Infrastructure Security Agency (CISA) and had the group recommend the consumers to immediately cease the use of MiCODUS MV720. It is possible that these flaws can extent to other MiCODUS vehicle GPS tracker models. Hard-coded password makes the unit too exploitable to use, but removal may be tricky.
CISA has analyzed the vulnerability and has rated the hard-coded password issue with a “critical” rating of 9.8 as the research found out that proper authentication is not executed, allowing users to log in to the platform with ease without providing credentials. Two other vulnerabilities were found with a given “high” CVSS (Common Vulnerability Scoring System) score out of 7. Using cross-site scripting, users can be tricked into issuing a request that allows remote attackers to gain control of the device. Another vulnerability involves with the main web server which is unable to verify the connected device ID. A vulnerability rated with a score of “medium” was found to use a different web server with similar nature in its inability to identify the device ID.
The hard-coded password is reportedly included in the code of the Android app, so anyone with even a passing knowledge of programming for that device can dig it up. In addition to the inclusion of this hard-coded password, devices appear to have a standard default password of “123456” until changed by the user.
About the Author
Ruben George