Manufacturers of Widespread GPS Modules with Critical Vulnerabilities Ignore Security, Research Reveals

Security researchers have identified a series of vulnerabilities in a highly popular GPS module that’s used by governments, companies and regular consumers in millions of devices worldwide.

While we might pay extra attention to some of the devices we use daily, like phones, we rarely give a second thought to our cars. Modern vehicles are packed with electronics, including some constantly communicating with manufacturers and other services. The GPS module is among those overlooked electronics.

Security researchers from BitSight took a closer look at the MiCODUS MV720 tracker, embedded in 1.5 million devices across 169 countries, and found seven vulnerabilities, marking some as critical due to their nature.

It’s easy to think that a compromised GPS tracker could, at the most, leak the location of a particular device, but it’s much worse.

“It could allow hackers to track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more,” said the researchers.

“For example, an attacker could cut fuel to a civilian’s vehicle and deploy ransomware, demanding a ransom to return the vehicle to working condition, or could deploy ransomware to vehicles in an organization’s commercial vehicle fleet, potentially inducing supply shortages and disrupting business continuity for both the targeted organization and supply chain partners,” the researchers added.

Matters are complicated because the trackers are available for purchase for just $20 on the open market, which means that anyone has access to the hardware. Also, the manufacturers have refused to respond to the researcher and address the vulnerabilities. Therefore, the main advice for all affected parties is to stop using the devices until the vulnerabilities are fixed.

We can look at the first two to understand just how dangerous these vulnerabilities are.

• The use of hard-coded credentials may let an attacker log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number. (CVE-2022-2107)
• Improper authentication allows a user to send some SMS commands to the GPS tracker without a password. (CVE-2022-2141)

Hardcoded credentials and improper authentication vulnerabilities, with a score of 9.8 out of 10, should scare any company using these GPS modules.