Security News > 2022 > July > Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely
The U.S. Cybersecurity and Infrastructure Security Agency is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations.
CVE-2022-2107 - Use of a hard-coded master password that could enable an unauthenticated attacker to carry out adversary-in-the-middle attacks and seize control of the tracker.
CVE-2022-2141 - Broken authentication scheme in the API server that enables an attacker to control all traffic between the GPS tracker and the original server and gain control.
No assigned CVE - Use of a preconfigured default password "123456" that allows attackers to access any GPS tracker at random.
With no workaround in sight, users of the GPS tracker in question are advised to take steps to minimize exposure or alternatively cease using the devices and disable them altogether until a fix is made available by the company.
"Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations," the researchers said.
News URL
https://thehackernews.com/2022/07/unpatched-gps-tracker-bugs-could-let.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-20 | CVE-2022-2141 | Missing Authentication for Critical Function vulnerability in Micodus Mv720 Firmware SMS-based GPS commands can be executed by MiCODUS MV720 GPS tracker without authentication. | 9.8 |
| 2022-07-20 | CVE-2022-2107 | Use of Hard-coded Credentials vulnerability in Micodus Mv720 Firmware The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. | 9.8 |