MiCODUS Car Trackers are SUPER Vulnerable and Dangerous
An add-on vehicle tracker is incredibly insecure—to the point it’s dangerous to use. The MV720 and other products sold by MiCODUS are full of easily exploited bugs.
Nation-states, thieves and ransomware scrotes must be rubbing their hands with glee. The company responsible is maintaining radio silence, so the researchers and CISA had no choice but to go public and warn us all.
The advice: Remove it from your car—now. In today’s SB Blogwatch, we wonder how many people have one and don’t even know.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Stranger remix.
$20 GPS IoT Garbage
What’s the craic? Frank Bajak reports—“GPS tracker highly vulnerable”:
“Could be used maliciously by the Chinese government”
A popular … automotive GPS tracker used in 169 countries has severe software vulnerabilities, posing a potential danger to highway safety, national security and supply chains, cybersecurity researchers have found. … The flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.
…
GPS trackers are used globally to monitor vehicle fleets – from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.
…
Richard Clarke, the former U.S. cybersecurity czar, called the insecure GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government.” While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow their government’s orders.
Trackers gonna track, Zack. Mister Whittaker facepalms—“Security flaws in a popular GPS tracker are exposing a million vehicle locations”:
“Remove the devices as soon as possible”
Six vulnerabilities in the MV720, a hardwired GPS tracker built by MiCODUS … can be easily and remotely exploited to track any vehicle in real time, access past routes and cut the engines of vehicles in motion. [The] Shenzhen-based electronics maker … claims more than 1.5 million GPS trackers in use today across more than 420,000 customers worldwide, including … Fortune 50 companies … a nuclear power plant operator … companies with fleets of vehicles, law enforcement agencies, militaries and national governments.
…
Some of the bugs are in the GPS tracker itself, while others are in the web dashboard that customers use to track their vehicle fleets. … All but one rank as “high” severity or greater. … Given the severity of the bugs and that there are no fixes, both BitSight and CISA, the U.S. government’s cybersecurity advisory agency, warned vehicle owners to remove the devices as soon as possible.
Who found it? Pedro Umbelino, with Noah Stone—“Critical Vulnerabilities”:
“Nation-state adversary”
Repeated attempts … to share information with Shenzhen, China-based manufacturer MiCODUS were disregarded. … Each MV720 is sold for approximately $20.00 on Amazon, Aliexpress, Ebay, Alibaba, and other major online retailers. … Although our research focused on the MV720, we believe other MiCODUS models may be vulnerable due to flaws we discovered in the MiCODUS architecture.
…
We identified Ukraine as having the most MiCODUS GPS trackers in all of Europe. A state-owned Ukrainian transportation system and a leading bank in Kiev are confirmed to be MiCODUS users.
…
[We] discovered the MV720 to be vulnerable to a variety of attacks. … Successful exploitation of such vulnerabilities allows for:
- Civilians, politicians, business leaders, and others could be tracked … threatening personal safety and confidentiality. …
- Bad actors could learn the travel routes of … owners, informing planned burglaries. …
- An attacker could cut fuel to a … vehicle and deploy ransomware …
- An attacker could deploy ransomware to vehicles in [a] commercial vehicle fleet, potentially inducing supply shortages. …
- A nation-state adversary could … gather intelligence on military-related movements. …
- Criminals could disable emergency vehicles … delaying police response to a planned crime.
Ukraine? cyberlurker decloaks briefly:
This won’t be good.
Which cars are they in? AmiMoJo clarifies:
They are not OEM parts. They are for covert monitoring. Most of the people vulnerable to these hacks likely don’t even know they have one.
…
They are designed to look like a relay so as not to arouse suspicion. They make them to fit in place of actual relays for things like the fuel pump or accessory power, where they can draw power from the vehicle’s battery and also operate the function of the original relay remotely.
But who would use these things? afidel answers a question with a question:
You’ve never been exposed to buy-here pay-here operations? Basically they buy the cheapest, *****iest vehicles that still run semi-reliably, then loan them out on rent-to-own contracts.
…
When the folks that are desperate enough to go to such places inevitably miss a payment they “repossess” the vehicle … with a device like this virtually by disabling the vehicle. Then they either get their next payment from the leasee, or they send someone to the last GPS coordinates to pick it up.
SRSLY? Yes, says robgridley:
The staff at a local dealer gave them the very un-PC name “poor person modules”.
Wait. Pause. At least some of these vulns were previously discovered 17 months ago, by u/xPeacefulDreams:
I bought a GPS tracker on AliExpress from a brand called Micodus. … I was interested in the API of their platform so I could integrate it with my smart home. … I found out that there is no security applied at all: … I can pull anyone’s user info and devices, including the address the car is at and other identifying info.
…
The security flaw is not on the device itself but on the cloud platform that the tracker reports to, so it has nothing to do with flashing or password protection on the device unfortunately. Basically, the website is so poorly secured that with a simple script you can get the data from every tracker on the platform, regardless of whether users changed passwords or anything.
…
I’m going to share my findings with the company. But I don’t know if they will change it.
I think we can guess how that went. ERIFNOMI sounds slightly sarcastic:
$20 no-name Chinese IoT GPS tracker has a hardcoded master password? This is my shocked face.
And Finally:
Great remix, but try to ignore the idiotic knob twiddling—“It’s like somebody miming along to a guitar track whilst holding a bassoon,” quips Swagatha_Christie
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Patti Black (via Unsplash; leveled and cropped)
