According to the researchers with security vendor BitSight, if exploited, the six vulnerabilities in the MiCODUS MV720 vehicle GPS tracker could enable threat actors to access and control the functions of the device, including tracking the vehicle or cutting off its fuel supply. While security experts have voiced concern about the lax security in smart, internet-enabled devices overall, the BitSight research is particularly worrisome for both our privacy and safety. “Unfortunately, these vulnerabilities are not difficult to exploit,” noted Pedro Umbelino, principal security researcher at BitSight, in a press release. “Basic flaws in this vendor’s overall system architecture raise significant questions about the vulnerability of other models." 

Remote Control

In the report, BitSight says it zeroed in on the MV720 since it was the company’s least expensive model that offers anti-theft, fuel cut-off, remote control, and geofencing capabilities. The cellular-enabled tracker uses a SIM card to transmit its status and location updates to supporting servers and is designed to receive commands from its legitimate owners via SMS. BitSight claims it discovered the vulnerabilities without much effort. It even developed proof of concept (PoCs) code for five of the flaws in order to demonstrate that the vulnerabilities can be exploited in the wild by bad actors. And it’s not just individuals who could be affected. The trackers are popular with companies as well as with government, military, and law enforcement agencies. This led the researchers to share their research with the CISA after it failed to elicit a positive response from the Shenzhen, China-based manufacturer and supplier of automotive electronics and accessories. After the CISA also failed to get a response from  MiCODUS, the agency took it upon itself to add the bugs to the Common Vulnerabilities and Exposures (CVE) list and assigned them a Common Vulnerability Scoring System (CVSS) score, with a couple of them earning a critical severity score of 9.8 out of 10. The exploitation of these vulnerabilities would allow for many possible attack scenarios, which could have “disastrous and even life-threatening implications,” note the researchers in the report.

Cheap Thrills

The easily exploitable GPS tracker highlights many of the risks with the current generation of Internet of Things (IoT) devices, note the researchers.  Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, opines that one of the big problems of any IoT device that tracks someone is privacy.  “Put a web camera in your home for security purposes, and you can’t be assured it won’t track you during times when you thought you had privacy,” Grimes told Lifewire over email. “Your cell phone can be compromised to record your conversations. Your laptop’s webcam can be turned on to record you and your meetings. And your car’s GPS tracking device can be used to find specific employees and disable vehicles.” The researchers note that currently, the MiCODUS MV720 GPS tracker remains vulnerable to the mentioned flaws since the vendor hasn’t made a fix available. Owing to this, BitSight recommends that anyone using this GPS tracker disable it until a fix is made available.  Building on this, Grimes explains patching presents another problem, as it’s particularly difficult to install software fixes on IoT devices. “If you think it’s hard to patch regular software, it’s ten times as hard to patch IoT devices,” said Grimes. In an ideal world, all IoT devices would have auto-patching in order to install any updates automatically. But unfortunately, Grimes points out most IoT devices require people to manually update them, jumping through all kinds of hoops such as using an inconvenient physical connection. “I’d speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them,” said Grimes. “IoT devices are full of vulnerabilities, and this will not change going into the future no matter how many of these stories come out.”