Security News > 2022 > July > Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely

Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely
2022-07-20 09:44

The U.S. Cybersecurity and Infrastructure Security Agency is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations.

CVE-2022-2107 - Use of a hard-coded master password that could enable an unauthenticated attacker to carry out adversary-in-the-middle attacks and seize control of the tracker.

CVE-2022-2141 - Broken authentication scheme in the API server that enables an attacker to control all traffic between the GPS tracker and the original server and gain control.

No assigned CVE - Use of a preconfigured default password "123456" that allows attackers to access any GPS tracker at random.

With no workaround in sight, users of the GPS tracker in question are advised to take steps to minimize exposure or alternatively cease using the devices and disable them altogether until a fix is made available by the company.

"Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations," the researchers said.


News URL

https://thehackernews.com/2022/07/unpatched-gps-tracker-bugs-could-let.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-07-20 CVE-2022-2141 Missing Authentication for Critical Function vulnerability in Micodus Mv720 Firmware
SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication.
network
low complexity
micodus CWE-306
critical
9.8
2022-07-20 CVE-2022-2107 Use of Hard-coded Credentials vulnerability in Micodus Mv720 Firmware
The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password.
0.0