A GPS automobile tracker utilized by “militaries, regulation enforcement companies, and corporations” as effectively as individuals has vulnerabilities severe adequate to draw in the attention of America’s Cybersecurity and Infrastructure Safety Company.
According to BitSight, which claimed the bugs to CISA, the MiCODUS MV720 GPS auto tracker has users in 169 countries including Australia and New Zealand.
Its capabilities include true-time checking of locale and velocity, historic routes taken by the automobile, and the means to minimize off gasoline in the event of theft.
Consumers can ship instructions to deployed products more than SMS or working with an application.
CISA’s advisory warns of five vulnerabilities in certain:
- CVE-2022-2107 – A hard-coded master password in the device’s server, which suggest an attacker can difficulty instructions to the tracker as if they arrived from the operator
- CVE-2022-2141 – SMS instructions can be issued with no authentication
- CVE-2022-2199 – A cross-site scripting bug in the system’s principal world-wide-web server
- CVE-2022-34150 and CVE-2022-33944 – Authentication bypasses in the internet server.
“As of July 18th, 2022, MiCODUS has not delivered updates or patches to mitigate these vulnerabilities”, CISA noted.
Graphic: BitSight, OpenStreetMap, CartoDB
The upshot of all this, BitSight wrote, is that attackers “could perhaps slash off fuel, bodily quit motor vehicles, or surveil motion of motor vehicles in which the product is installed.”
Because the vulnerabilities give an attacker accessibility to communications in between to and from the tracker, probable attacks contain “intentionally issuing incorrect auto area info to the GPS server”.