Security News > 2022 > July > Popular vehicle GPS tracker gives hackers admin privileges over SMS

Popular vehicle GPS tracker gives hackers admin privileges over SMS
2022-07-19 15:00

Vulnerability researchers have found security issues in a GPS tracker that is advertised as being present in about 1.5 million vehicles in 169 countries.

MiCODUS GPS trackers are used by the state-owned Ukrainian transportation agency, so Russian hackers could target them to determine supply routes, troop movements, or patrol routes, researchers at cybersecurity company BitSight say in a report today.

CVE-2022-2141: Broken authentication scheme allowing anyone to send some commands to the GPS tracker via SMS and run them with admin privileges.

CVE-2022-33944: Insecure direct object reference on the main web server, allowing unauthenticated users to generate Excel reports about GPS tracker activity.

The Chinese vendor of the GPS tracker was contacted again on October 1, 2021, but refused to provide a security or engineering contact.

Currently, the MiCODUS MV720 GPS tracker remains vulnerable to the mentioned flaws, and the vendor hasn't made a fix available.


News URL

https://www.bleepingcomputer.com/news/security/popular-vehicle-gps-tracker-gives-hackers-admin-privileges-over-sms/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-07-20 CVE-2022-33944 Authorization Bypass Through User-Controlled Key vulnerability in Micodus Mv720 Firmware
The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.
0.0
2022-07-20 CVE-2022-2141 Missing Authentication for Critical Function vulnerability in Micodus Mv720 Firmware
SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication.
network
low complexity
micodus CWE-306
critical
9.8