Security News > 2022 > July > Popular vehicle GPS tracker gives hackers admin privileges over SMS
Vulnerability researchers have found security issues in a GPS tracker that is advertised as being present in about 1.5 million vehicles in 169 countries.
MiCODUS GPS trackers are used by the state-owned Ukrainian transportation agency, so Russian hackers could target them to determine supply routes, troop movements, or patrol routes, researchers at cybersecurity company BitSight say in a report today.
CVE-2022-2141: Broken authentication scheme allowing anyone to send some commands to the GPS tracker via SMS and run them with admin privileges.
CVE-2022-33944: Insecure direct object reference on the main web server, allowing unauthenticated users to generate Excel reports about GPS tracker activity.
The Chinese vendor of the GPS tracker was contacted again on October 1, 2021, but refused to provide a security or engineering contact.
Currently, the MiCODUS MV720 GPS tracker remains vulnerable to the mentioned flaws, and the vendor hasn't made a fix available.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-20 | CVE-2022-33944 | Authorization Bypass Through User-Controlled Key vulnerability in Micodus Mv720 Firmware The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | 6.5 |
| 2022-07-20 | CVE-2022-2141 | Missing Authentication for Critical Function vulnerability in Micodus Mv720 Firmware SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication. | 9.8 |