A cybersecurity firm and government watchdogs are sounding the alarm about the use of a popular GPS tracking device manufactured in China.
The MiCODUS MV720 GPS tracker has “six severe vulnerabilities” that could potentially allow “hackers to track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more,” according to a July 19 report from cybersecurity firm BitSight.
The MiCODUS GPS trackers are used by customers to monitor real-time locations and speeds, historical routes, and to remotely cut off fuel in the event of theft.
The group says that vulnerabilities in the devices could allow hackers to “cut fuel to a civilian’s vehicle and deploy ransomware, demanding a ransom to return the vehicle to working condition.” Hackers could “also deploy ransomware to vehicles in an organization’s commercial vehicle fleet, potentially inducing supply shortages and disrupting business continuity for both the targeted organization and supply chain partners,” according to the report.
BitSight says that that attackers exploiting the vulnerabilities could result in loss of life, supply chain disruptions, unlawful tracking, or data breeches.
As an immediate solution, BitSight recommends that “users of the MV720 should take prompt action to protect themselves from the device’s vulnerabilities. BitSight recommends users immediately discontinue use or disable any MiCODUS MV720 GPS trackers until a fix is made available. The device typically requires professional installation, so users may need to consult with a mechanic to properly disable the device(s).”
The GPS tracker retails for around $20 and approximately 1.5 million devices are in use around the world, BitSight says. The device is use in government, military, and police agencies, and as well as a variety of industries including aerospace, engineering, manufacturing, and shipping.
“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin on July 19 detailing multiple hacking vulnerabilities associated with the device.