Critical Flaws In GPS Tracker Enable 'Disastrous' and 'Life-Threatening' Hacks

An anonymous reader quotes a report from Ars Technica: A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they're moving, track location histories, disarm alarms, and cut off fuel. An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered (PDF) what it said were six "severe" vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The vulnerabilities include one tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who obtain this passcode can use it to log in to the web server, impersonate the legitimate user, and send commands to the tracker through SMS communications that appear to come from the GPS user's mobile number. With this control, hackers can: Gain complete control of any GPS tracker; Access location information, routes, geofences, and track locations in real time; Cut off fuel to vehicles; and Disarm alarms and other features. A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hardcoded password used by the Micodus server, a reflected cross-site scripting error in the Web server, and an insecure direct object reference in the Web server. The other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944. The U.S. Cybersecurity and Infrastructure Security Administration is also warning about the risks posed by the critical security bugs. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms)," agency officials wrote.

Re:

[drinkypoo]

And look at how well that's working out for the world on every level.

The world's corporations, and by extension their customers (us) did this to our collective selves, so a picture of everyone blaming everyone who is at fault looks like a Spider-Man meme. But pretending that moving all the manufacturing to China has been a positive thing is just that, and moreover, it's actively harmful enablement.

Re:

[cayenne8]

pretending that everything made in china is crap is fucking annoying and insane

But still...is generally a reasonable assumption to start with.

Re:

[drinkypoo]

pretending that everything made in china is crap is fucking annoying and insane

Most of what's made in China is crap, period, not the end of the story but still a fact.

Most of what's made everywhere is also crap, but China is also the nexus of a whole deliberate crap-producing system of industry designed to permit the wholesale of the future for increased dominance today. The low labor rates make it profitable to make your products shittier, because it makes labor a smaller percentage of the costs. Once you've cost-reduced the labor, it then makes sense to aggressively cost-reduce the

Re: "Made in China"

[anonymouscoward52236]

I don't get this nonsense of "cutoff fuel and disarm cars"... wtf are they trying to say? If it allows arbitrary OBD2 command injection, why noy just say that? Because in some cars, OBD2 command injection also means you can drive a car off a cliff or into a brick wall. (Cars with LKAS.)

Re:

[omnichad]

Who says these are arbitrary commands? They sell devices to governments and law enforcement. It's likely a core supported feature.

Re:

[CaptQuark]

These devices are usually for fleet tracking operations like semi trucks, UPS delivery vans, buses, train locomotives, or other fleet vehicles. This isn't a device in your Subaru Outback.

  https://www.linxup.com/uses/gp... [linxup.com]

Re:

[omnichad]

You only get what other people will pay for. Otherwise the market is too small. That's why there is no "good" version of most things anymore.

Re:

[jenningsthecat]

Or we could talk about the sad state of the (embedded) software industry.

No? You'd rather go around lamenting the evils of "hackers" instead?

That won't help, but you do you, eh.

Please mod parent Insightful. These trackers and the cars they are connected to are members of the IOT, which is a crying shame of a shit-show that simply begs for stringent regulation, tough qualification testing, and merciless enforcement.

A GPS Tracker can do all that?

[gweihir]

Somebody seems to be in a completely irrational panic there. Sure, this ElCheapo GPS Tracker is insecure as hell. But how do you get form a GPS tracker to "remotely disable cars while they're moving" and "disarm alarms, and cut off fuel"? That seems quite a bit of s stretch and would likely require some severe design mistakes in the use of this GPS tracker.

Re:

[The-Ixian]

My first thought is that perhaps some of these devices are built in to vehicles as OEM parts.

Re:

[gweihir]

My first thought is that perhaps some of these devices are built in to vehicles as OEM parts.

Yes, sure. That seems to be the purpose of these things. But a GPS tracker is not reliable enough to control functions that can severely impact vehicle safety like "disable a car while moving". If the safety of a car relies on a cheap GPS tracker, then the car designer is doing something seriously wrong.

Re:A GPS Tracker can do all that?

[AmiMoJo]

They are not OEM parts. They are for covert monitoring. Most of the people vulnerable to these hacks likely don't even know they have one in their car.

They are designed to look like a relay so as not to arouse suspicion. They make them to fit in place of actual relays for things like the fuel pump or accessory power, where they can draw power from the vehicle's battery and also operate the function of the original relay remotely.

Re:A GPS Tracker can do all that?

[ZiggyZiggyZig]

Quick install guide available here [micodus.com]. Works with a NanoSIM. Looks like a relay indeed. Scary this just costs $20 retail on Aliexpress, think about how much it costs for producing...

I wonder if car rental agencies use that.

Re:A GPS Tracker can do all that?

[jenningsthecat]

Quick install guide available here [micodus.com].

Thanks for the link. I was simultaneously chuckling and shuddering when I read Step 2: "Inset (sic) the Nano Spionlink SIM...". "Spion" indeed.

It's also interesting to note that the only way to track cars thus "enabled" is via the company's own website. So every vehicle in which one of these is installed will be tracked by at least two entities - at least three if you count the Chinese government.

Re:

[gweihir]

These are OEM parts. A look at the picture shows this nicely: https://www.micodus.com/produc... [micodus.com]

Sure, they camouflage somewhat as a relay, but they are intended for installation into the regular electric system of a car. You cannot simply pull out an existing relay and put one of these in. The car manufacturer has to provide a socket for this or an attacker would have to splice cables and put that socket in a place where it does not look too put of place.

Re:

[bill_mcgonigle]

It looks like they're using a wiring harness. The website says it's easy to hide but most cars don't have a relay at the end of a wiring harness.

The website flips back and forth between cutting "oil" and "fuel". It does seem to be a fuel-pump switch but if they were to cut the oil pump somebody would be burning down their factory.

They also say they can detect a wire being cut and alert the controlling entity. OK, dude, that will take me two minutes to entirely bypass on an analog 12V system.

Point being a

Re:

[thegarbz]

It's almost like companies have more than one product or something.

Re:

[mridoni]

You cannot simply pull out an existing relay and put one of these in. The car manufacturer has to provide a socket for this or an attacker would have to splice cables and put that socket in a place where it does not look too put of place.

My (admittedly old) car had several free sockets due to some relays and fuses not having been installed in the factory, because the optional features they were supposed to control (e.g. heated mirrors) hadn't been bought and installed. Maybe with modern cars it's different.

Re:

[The-Ixian]

I mean, if it is on the same internal network as the rest of the car then it's a staging area for lateral movement.

For example, cars' entertainment systems are often used as an entry point to move laterally into car's core functions.

Re:

[gweihir]

Does not seem to have any data connections except the wireless ones. It basically has power and ground as input and one switch as output. Over-the-air, it has GPS (passive) and GSM and you can control the switch via GSM. So no "lateral movement" here.

Re:

[robgridley]

I don't know about that particular model of GPS tracker, but some of them are used by finance companies to track cars with high risk, high interest (credit card high) loans. Those ones are absolutely able to disable the car. The staff at a local dealer gave them the very un-PC name "poor person modules".

Re:

[gweihir]

Sounds like a personal injury lawsuit waiting to happen...
Sure, you can do this, but the critical part is "while moving". Doing that is just an accident waiting to happen.

Re:

[nuckfuts]

Somebody seems to be in a completely irrational panic there. Sure, this ElCheapo GPS Tracker is insecure as hell. But how do you get form a GPS tracker to "remotely disable cars while they're moving" and "disarm alarms, and cut off fuel"?

Why do you think fuel cut-off is so implausible in an anti-theft device? A quick look at the advertising for this device [aliexpress.com] clearly lists this as a feature.

Re:

[tlhIngan]

Somebody seems to be in a completely irrational panic there. Sure, this ElCheapo GPS Tracker is insecure as hell. But how do you get form a GPS tracker to "remotely disable cars while they're moving" and "disarm alarms, and cut off fuel"? That seems quite a bit of s stretch and would likely require some severe design mistakes in the use of this GPS tracker.

There are GPS trackers that do that.

If you have bad credit and go for one of those "Bad credit? We can rent you a car to own!" type places, they will alm

Be sensible

[Quatermass]

At $20, bin it and get a better one...

Re:

[Errol backfiring]

..., with customers including governments, militaries, law enforcement agencies, ...

In a lot of cases, you should be telling that to the victim instead of the buyer. But at least you now know where to find him to give your advice.

The dangers of tracking devices

[Ronin Developer]

I thought it bad enough when people used our dog/pet tracker to track their spouse or significant other. But, do be able to disable their vehicleâ¦scary.

With our product, they would drop the device in their targetâ(TM)s handbag or in their car and know when they were vulnerable. Our operations team was called in to testify in several murder investigations with printed location logs to show the perp queried their location just prior to their victims demise (remember, we sold it as a pet tracker).

We also developed a vehicle delivery tracker with the same device (different firmware) that would only expose the driverâ(TM)s location on a map in real-time to the next delivery receipient and only in the last mile for the driverâ(TM)s safety.

And, call us odd, but we kept a list of the names people assigned to their tracker (many were disturbing). Many of the names were humorous while others rather dark. Thatâ(TM)s how we came to realize that our device wasnâ(TM)t being used to predominantly track their pets..

What could possibly go wrong?

[ZiggyZiggyZig]

Gee, I really think it is a super duper idea to use a $20 dongle to control the power line of the fuel pump of my car at a distance! It must has been carefully designed as a safety-critical component! It's definitely not going to fail while I'm overtaking a truck on a busy highway or in some other potentially dangerous situation!

123456

[bustinbrains]

That is the actual super secret master password.

https://www.youtube.com/watch?... [youtube.com]

$20/month as a service

[DDumitru]

This item does not seem to "sell" for $20. Instead it is a service for about $20/month. As such, the service providers outside of China are potentially looking at a lot of liability.

Flaws or backdoors?

[Asynchronously]

After all, this is China we are talking about.

adversary-in-the-middle is the new word?

[lsllll]

Master/Slave has gone to shit. Now "man" has to go? There used to be a time when "man" also stood for "human".

Re:

[kmoser]

The next stage will be to ban human-centric words because they discriminate against non-human animals and space aliens.