Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Critical Flaws In GPS Tracker Enable 'Disastrous' and 'Life-Threatening' Hacks (arstechnica.com) 38

An anonymous reader quotes a report from Ars Technica: A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they're moving, track location histories, disarm alarms, and cut off fuel. An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered (PDF) what it said were six "severe" vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The vulnerabilities include one tracked as CVE-2022-2107, a hardcoded password that carries a severity rating of 9.8 out of a possible 10. Micodus trackers use it as a master password. Hackers who obtain this passcode can use it to log in to the web server, impersonate the legitimate user, and send commands to the tracker through SMS communications that appear to come from the GPS user's mobile number. With this control, hackers can: Gain complete control of any GPS tracker; Access location information, routes, geofences, and track locations in real time; Cut off fuel to vehicles; and Disarm alarms and other features. A separate vulnerability, CVE-2022-2141, leads to a broken authentication state in the protocol the Micodus server and the GPS tracker use to communicate. Other vulnerabilities include a hardcoded password used by the Micodus server, a reflected cross-site scripting error in the Web server, and an insecure direct object reference in the Web server. The other tracking designations include CVE-2022-2199, CVE-2022-34150, CVE-2022-33944.
The U.S. Cybersecurity and Infrastructure Security Administration is also warning about the risks posed by the critical security bugs. "Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms)," agency officials wrote.
This discussion has been archived. No new comments can be posted.

Critical Flaws In GPS Tracker Enable 'Disastrous' and 'Life-Threatening' Hacks

Comments Filter:
  • by gweihir ( 88907 ) on Wednesday July 20, 2022 @08:42AM (#62718522)

    Somebody seems to be in a completely irrational panic there. Sure, this ElCheapo GPS Tracker is insecure as hell. But how do you get form a GPS tracker to "remotely disable cars while they're moving" and "disarm alarms, and cut off fuel"? That seems quite a bit of s stretch and would likely require some severe design mistakes in the use of this GPS tracker.

    • My first thought is that perhaps some of these devices are built in to vehicles as OEM parts.

      • by gweihir ( 88907 )

        My first thought is that perhaps some of these devices are built in to vehicles as OEM parts.

        Yes, sure. That seems to be the purpose of these things. But a GPS tracker is not reliable enough to control functions that can severely impact vehicle safety like "disable a car while moving". If the safety of a car relies on a cheap GPS tracker, then the car designer is doing something seriously wrong.

        • by AmiMoJo ( 196126 ) on Wednesday July 20, 2022 @09:02AM (#62718582) Homepage Journal

          They are not OEM parts. They are for covert monitoring. Most of the people vulnerable to these hacks likely don't even know they have one in their car.

          They are designed to look like a relay so as not to arouse suspicion. They make them to fit in place of actual relays for things like the fuel pump or accessory power, where they can draw power from the vehicle's battery and also operate the function of the original relay remotely.

          • by ZiggyZiggyZig ( 5490070 ) on Wednesday July 20, 2022 @09:49AM (#62718722)

            Quick install guide available here [micodus.com]. Works with a NanoSIM. Looks like a relay indeed. Scary this just costs $20 retail on Aliexpress, think about how much it costs for producing...

            I wonder if car rental agencies use that.

          • by gweihir ( 88907 )

            These are OEM parts. A look at the picture shows this nicely: https://www.micodus.com/produc... [micodus.com]

            Sure, they camouflage somewhat as a relay, but they are intended for installation into the regular electric system of a car. You cannot simply pull out an existing relay and put one of these in. The car manufacturer has to provide a socket for this or an attacker would have to splice cables and put that socket in a place where it does not look too put of place.

            • It looks like they're using a wiring harness. The website says it's easy to hide but most cars don't have a relay at the end of a wiring harness.

              The website flips back and forth between cutting "oil" and "fuel". It does seem to be a fuel-pump switch but if they were to cut the oil pump somebody would be burning down their factory.

              They also say they can detect a wire being cut and alert the controlling entity. OK, dude, that will take me two minutes to entirely bypass on an analog 12V system.

              Point being a

            • by mridoni ( 228377 )

              You cannot simply pull out an existing relay and put one of these in. The car manufacturer has to provide a socket for this or an attacker would have to splice cables and put that socket in a place where it does not look too put of place.

              My (admittedly old) car had several free sockets due to some relays and fuses not having been installed in the factory, because the optional features they were supposed to control (e.g. heated mirrors) hadn't been bought and installed. Maybe with modern cars it's different.

        • I mean, if it is on the same internal network as the rest of the car then it's a staging area for lateral movement.

          For example, cars' entertainment systems are often used as an entry point to move laterally into car's core functions.

          • by gweihir ( 88907 )

            Does not seem to have any data connections except the wireless ones. It basically has power and ground as input and one switch as output. Over-the-air, it has GPS (passive) and GSM and you can control the switch via GSM. So no "lateral movement" here.

    • I don't know about that particular model of GPS tracker, but some of them are used by finance companies to track cars with high risk, high interest (credit card high) loans. Those ones are absolutely able to disable the car. The staff at a local dealer gave them the very un-PC name "poor person modules".
      • by gweihir ( 88907 )

        Sounds like a personal injury lawsuit waiting to happen...
        Sure, you can do this, but the critical part is "while moving". Doing that is just an accident waiting to happen.

    • Somebody seems to be in a completely irrational panic there. Sure, this ElCheapo GPS Tracker is insecure as hell. But how do you get form a GPS tracker to "remotely disable cars while they're moving" and "disarm alarms, and cut off fuel"?

      Why do you think fuel cut-off is so implausible in an anti-theft device? A quick look at the advertising for this device [aliexpress.com] clearly lists this as a feature.

    • by tlhIngan ( 30335 )

      Somebody seems to be in a completely irrational panic there. Sure, this ElCheapo GPS Tracker is insecure as hell. But how do you get form a GPS tracker to "remotely disable cars while they're moving" and "disarm alarms, and cut off fuel"? That seems quite a bit of s stretch and would likely require some severe design mistakes in the use of this GPS tracker.

      There are GPS trackers that do that.

      If you have bad credit and go for one of those "Bad credit? We can rent you a car to own!" type places, they will alm

  • At $20, bin it and get a better one...

    • ..., with customers including governments, militaries, law enforcement agencies, ...

      In a lot of cases, you should be telling that to the victim instead of the buyer. But at least you now know where to find him to give your advice.

  • by Ronin Developer ( 67677 ) on Wednesday July 20, 2022 @09:54AM (#62718738)

    I thought it bad enough when people used our dog/pet tracker to track their spouse or significant other. But, do be able to disable their vehicleâ¦scary.

    With our product, they would drop the device in their targetâ(TM)s handbag or in their car and know when they were vulnerable. Our operations team was called in to testify in several murder investigations with printed location logs to show the perp queried their location just prior to their victims demise (remember, we sold it as a pet tracker).

    We also developed a vehicle delivery tracker with the same device (different firmware) that would only expose the driverâ(TM)s location on a map in real-time to the next delivery receipient and only in the last mile for the driverâ(TM)s safety.

    And, call us odd, but we kept a list of the names people assigned to their tracker (many were disturbing). Many of the names were humorous while others rather dark. Thatâ(TM)s how we came to realize that our device wasnâ(TM)t being used to predominantly track their pets..

  • Gee, I really think it is a super duper idea to use a $20 dongle to control the power line of the fuel pump of my car at a distance! It must has been carefully designed as a safety-critical component! It's definitely not going to fail while I'm overtaking a truck on a busy highway or in some other potentially dangerous situation!

  • That is the actual super secret master password.

    https://www.youtube.com/watch?... [youtube.com]

  • by DDumitru ( 692803 ) <`moc.ocysae' `ta' `guod'> on Wednesday July 20, 2022 @12:08PM (#62719282) Homepage
    This item does not seem to "sell" for $20. Instead it is a service for about $20/month. As such, the service providers outside of China are potentially looking at a lot of liability.
  • After all, this is China we are talking about.

  • by lsllll ( 830002 ) on Wednesday July 20, 2022 @12:59PM (#62719534)
    Master/Slave has gone to shit. Now "man" has to go? There used to be a time when "man" also stood for "human".
    • by kmoser ( 1469707 )
      The next stage will be to ban human-centric words because they discriminate against non-human animals and space aliens.

You know you've landed gear-up when it takes full power to taxi.

Working...