Six vulnerabilities have been discovered in a GPS monitoring gadget utilized by companies to observe automobile fleets, and by shoppers as an anti-theft gadget. If exploited, they may permit attackers to broadly disrupt fleet operations and monitor particular person autos.
That is based on cybersecurity agency BitSight, which said in a Tuesday advisory that the gadget, the MiCODUS MV720, has vulnerabilities in each the gadget and the back-end service. These pave the best way for man-in-the-middle (MitM) assaults, authentication bypasses, and site monitoring. The vulnerabilities embrace a hard-coded gadget password that enables entry through SMS requests, and a default password on the API server, BitSight discovered.
“The exploitation of those vulnerabilities may have disastrous and even life-threatening implications,” BitSight states within the report. “For instance, an attacker may exploit a number of the vulnerabilities to chop gas to a complete fleet of business or emergency autos. Or, the attacker may leverage GPS info to observe and abruptly cease autos on harmful highways.”
The vulnerabilities embrace a hard-coded password that might permit instructions to be despatched to units, the flexibility to make use of administrator privileges for instructions, and a default password of 123456. Flaws of lesser severity embrace a mirrored cross-site scripting (XSS) situation and the flexibility to straight entry elements of the appliance. 5 of the vulnerabilities have been assigned identifiers underneath the Widespread Vulnerabilities and Exposures (CVE) program: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944. The default password safety weak spot was not thought-about a vulnerability, and so didn’t get a CVE identifier.
GPS Bugs Stay Unpatched
Whereas the corporate has not noticed any indicators that the vulnerabilities have been exploited, the Chinese language agency that producers the gadget, MiCODUS, has not responded to makes an attempt at discussing the problems, says Stephen Boyer, co-founder and CTO for BitSight.
BitSight initially contacted MiCODUS in regards to the issues in September 2021, and after an preliminary request for extra info, the corporate refused subsequent makes an attempt to speak, based on the agency. MiCODUS didn’t instantly reply to a request for remark from Darkish Studying.
“Sadly, the hard-coded password implies that the one actual remediation technique is to take away the MV720 gadget or take away the SIM card from the gadget,” he says. “We shared this info with DHS [the Department of Homeland Security] in order that they may develop an acceptable remediation technique.”
IoT: Nonetheless No Safety by Design, Widespread Risk
The vulnerabilities underscore the dangers posed by Web of Issues (IoT) units that haven’t benefited from satisfactory consideration to safety design and audits. Linked units sometimes have much less safety, however are distributed all through many corporations’ infrastructure and deal with bodily processes — similar to entry entry and energy management — in contrast to conventional info know-how.
Involved with the shortage of safety, the US authorities has established necessities for IoT gadget safety.
IoT units usually are additionally much more widespread than most enterprise customers acknowledge. As proven by the BitSight analysis, for instance, GPS units on the whole are utilized in autos belonging to at the very least 5 Fortune 50 corporations, in addition to power utilities and governments within the Center East, Europe, and North America.
BitSight couldn’t decide the prevalence of the MiCODUS MV720 particularly, however famous that MiCODUS claims that 1.5 million units are used globally. As well as, BitSight noticed almost 2.4 million connections to the MiCODUS API server from 169 nations worldwide. The MiCODUS MV720 is a fundamental mannequin bought for $20 on-line, however different fashions may account for some, and even most, of the IoT producer’s put in base.
The BitSight report notes that two broad use instances exist for the units. In some nations, information means that the units are used to handle fleets of autos. Nonetheless, in different nations, the massive variety of particular person connections per capita means that people are utilizing the units for anti-theft purposes.
“Indonesia has many distinctive IP addresses speaking with the MiCODUS server, however largely within the GPS tracker port,” BitSight states within the advisory. “This may increasingly recommend there are a small variety of customers with a excessive variety of units, which is typical in a fleet-management situation. By comparability, Mexico has a really excessive variety of connections to the net and cellular ports, which may point out people are utilizing the GPS tracker as an anti-theft gadget.”
Mexico, Russia, and Uzbekistan are the nations with probably the most particular person customers, the corporate estimates. Russia, Morocco, and Chile seem to have the best variety of precise units.
