Popular GPS tracker vulnerable to hackers, risks include supply chain disruption and loss of life, group says

A cybersecurity firm and government watchdogs are sounding the alarm over the use of a popular Chinese-made GPS tracking device.

The MiCODUS MV720 GPS Tracker has “six severe vulnerabilities” that could potentially allow “hackers to unknowingly track individuals, remotely disable corporate supply and emergency vehicle fleets, abruptly shut down civilian vehicles on dangerous highways, and more,” according to a July report. 19 cybersecurity company report BitSight.

MiCODUS GPS trackers are used by customers to monitor real-time locations and speeds, historical routes, and to shut off fuel remotely in the event of theft.

The group says the vulnerabilities in the devices could allow hackers to “cut fuel from a civilian’s vehicle and deploy ransomware, demanding a ransom to restore the vehicle to roadworthy condition.” Hackers could “also deploy ransomware to vehicles in an organization’s commercial vehicle fleet, potentially inducing supply shortages and disrupting business continuity for the targeted organization and supply chain partners” , according to the report.

BitSight says attackers exploiting the vulnerabilities could lead to loss of life, supply chain disruptions, illegal tracking, or data leaks.

As an immediate solution, BitSight recommends that “MV720 users take prompt action to protect themselves from device vulnerabilities. BitSight recommends that users immediately discontinue use or disable any MiCODUS MV720 GPS Tracker until a fix is ​​available. The device usually requires professional installation, so users may need to see a mechanic to properly disable the device(s).”

The GPS tracker sells for around $20 and around 1.5 million devices are in use worldwide, according to BitSight. The device is used in government, military and law enforcement agencies, as well as various industries including aerospace, engineering, manufacturing and shipping.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clark, an internationally renowned national security expert and former presidential adviser on cybersecurity. “With the rapid growth of mobile device adoption and our society’s desire to be more connected, it’s easy to overlook the fact that GPS tracking devices such as these can dramatically increase cyber risk. if they are not designed with security in mind BitSight’s research findings underscore how having a secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal security and national, and lead to extreme results such as disruption of large-scale fleet management and even loss of life.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued a newsletter on July 19 detailing several hacking vulnerabilities associated with the device.