CISA Warns About MiCODUS GPS Trackers - Threatwire
Added 2022-07-27 15:59:25 +0000 UTCBy Shannon Morse, ThreatWire
In early July, hackers shared that they can unlock and start Hondas with flawed key fobs. Car hacks are pretty common, and we now have a second one for July! CISA - the US Cybersecurity and Infrastructure Agency, published an advisory last week about GPS trackers found in many automobiles could be hacked to gain control of the system, disable vehicle alarms, impact fuel supply with fuel cutoff commands, or allow for locational surveillance and routes used.
The six vulnerabilities affect about 1.5 million vehicles worldwide with the MiCODUS MV720 GPS tracker installed. The advisory was posted as an Industrial Controls Systems Advisory, and CISA says it could allow a remote attacker to gain control in a variety of ways. The tracking devices only cost about $20 and are used in many industries including aerospace, energy, nuclear plants and shipping. Vehicles affected were found in several countries including but not limited to Chile, Australia, Mexico, Ukraine, and more, including the US. Many industries track their vehicles, including military and law enforcement and if a malicious actor got access to that information, it could have major national security implications.
The six vulnerabilities include a hard coded master password, a broken authentication scheme, and a cross site scripting flaw. Severity ranges from 6.5 up to 9.8. One of the flaws is a preconfigured default password of 123456 - I’m serious, I can’t make that stuff up.
CISA recommends technicians and manufacturers check the security audit report from Bitsight for mitigations. No fix is available, so Bitsight recommends taking actions such as just disabling the device altogether or replacing it with a non-vulnerable product.
LINKS:
https://thehackernews.com/2022/07/unpatched-gps-tracker-bugs-could-let.html
