At a price point of only about $20, the MiCODUS MV720 vehicle GPS tracker is one of the most widely used in the world for remotely monitoring the location of vehicles and issuing commands to them by phone. It will now likely be taken out of service after a security study found that it was riddled with vulnerabilities, the most serious of which is a hard-coded password that anyone could use via an internet connection to impersonate the device owner.
It is possible that the China-based manufacturer could issue a patch for these issues, but the company has not made a public comment as of yet. Any patch would also likely have to be applied locally, making it not worth the financial trouble for those who have already removed the vehicle GPS tracker due to security concerns.
Numerous agencies are recommending exactly that course of action, as a remote takeover of the device allows an attacker to shut off the fuel supply.
Mechanics may see a surge of business due to hard-coded password flaw
The hard-coded password vulnerability is the most serious of the bunch, but there are others that would likely cause the MiCODUS MV720 vehicle GPS tracker to be pulled out of circulation even if it was not present.
Even without access to the hard-coded password, an attacker could exploit SMS text messages to issue commands to the device without authentication. It is also possible for them to attack the vehicle GPS tracker via the web server, both with cross-site scripting and through failures to properly validate device IDs. The “least” concerning vulnerability identified by security researchers is the fact that the device ships with a default password of “123456.”
This collection of vulnerabilities has security experts recommending the immediate removal of MiCODUS MV720 vehicle GPS trackers across all applications. There are obvious concerns about spying on the movements of vehicles, but the biggest issue is safety. Owners can shut off the fuel supply remotely as an anti-theft measure, something also available to attackers that make use of the hard-coded password or one of the other exploits.
Time to find another vehicle GPS tracker?
Hoping for a timely patch from the device manufacturer, a company based in Shenzhen, is not a good strategy in this case. It is very unlikely all of these issues could be patched remotely, and given the low cost of the device a trip to the mechanic is likely better used for replacement with another vehicle GPS tracker.
Researchers did not share specifics about the hard-coded password but did reveal that it was found in the code in the Android app, meaning that it should be easy for attackers to dig up. There are about 1.5 million of these devices in use across the world, and the researchers note that other MiCODUS products that share some of the same elements of architecture might be similarly impacted by some of these vulnerabilities.