Researchers: Chinese-made GPS tracker highly vulnerable

Jul 19, 2022, 8:17 AM | Updated: Jul 21, 2022, 3:30 pm
FILE - The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Fe...

FILE - The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Feb. 25, 2015. A popular Chinese-made automotive GPS tracker used by individuals, government agencies and companies in 169 countries has severe software vulnerabilities, posing a potential danger to life and limb, national security and supply chains, cybersecurity researchers said in a report released Tuesday, July 19, 2022, to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing six vulnerabilities. (AP Photo/Manuel Balce Ceneta, File)

(AP Photo/Manuel Balce Ceneta, File)

BOSTON (AP) — A popular Chinese-made automotive GPS tracker used in 169 countries has severe software vulnerabilities, posing a potential danger to highway safety, national security and supply chains, cybersecurity researchers have found.

A report by the Boston cybersecurity firm BitSight says the flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.

The researchers say users should immediately disable the MV720 GPS tracker until a fix becomes available. The report was released Tuesday to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing five vulnerabilities.

BitSight said it tried unsuccessfully for months — beginning in September, with CISA joining it in late April — to engage the manufacturer, Shenzen-based MiCODUS, in discussion addressing the vulnerabilities. The Associated Press telephoned and emailed the company but got no response. A person who answered a phone number listed on its website was unable to respond in English.

CISA said in a statement that it was not aware of “any active exploitation” of the vulnerabilities.

GPS trackers are used globally to monitor vehicle fleets – from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.

Using the MV720, which BitSight says costs less than $25 per unit, a malicious user could remotely cut off the fuel line of a vehicle in motion, know a vehicle’s real-time location for espionage purposes or intercept and taint location or other data to sabotage operations, said the principal BitSight researcher on the project, Pedro Umbelino.

He said multiple malicious scenarios are possible: First responders’ vehicles could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom of victims to avoid calling a mechanic.

The main vulnerabilities: The device comes with a default password that more than 90% of users don’t change, and there is second, obscure but hard-coded password that works for all devices, BitSight found. It also found security flaws in the software of the web server used to remotely manage the GPS devices.

The manufacturer, MiCODUS claims an installed base of 1.5 million devices across 420,000 customers, said BitSight. Its research found they included a Fortune 50 energy company and an aerospace company, a national military in South America and in eastern Europe, a nuclear power plant operator and a national law enforcement agency in western Europe. It did not name any of them. Countries with the most users included, by continent: Brazil, Mexico, Spain and Russia.

Richard Clarke, the former U.S. cybersecurity czar, called the insecure GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government.”

While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow their government’s orders — which is why Washington has been seeking to minimize Chinese components in U.S. telecoms networks and why some in Congress are pushing for a ban on U.S. government purchases of Chinese drones.

“You just wonder, how often are we going to find these things that are infrastructure — where there’s a potential for Chinese abuse — and the users don’t know?” said Clarke.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Associated Press

Closing prices for crude oil, gold and other commodities

Benchmark U.S. crude oil for September delivery rose $1.75 to $90.76 a barrel Monday. Brent crude for October delivery rose $1.73 to $96.65 a barrel. Wholesale gasoline for September delivery rose 3 cents to $2.89 a gallon. September heating oil fell 4 cents to $3.18 a gallon. September natural gas fell 47 cents to $7.59 […]
13 hours ago
FILE - A giant tarp, bottom,  covers a section of rubble where search and rescue personnel have bee...
Associated Press

Judge: property sale will pay fallen Florida condo’s taxes

Money from the sale of Florida beachfront property where a collapsed condominium tower once stood will be used to pay property taxes of the destroyed units, a judge ordered Monday. Miami-Dade Circuit Judge Michael Hanzman said in a brief ruling that the 2022 tax payments should not be deducted from the $96 million previously earmarked […]
13 hours ago
FILE - Former New York Mayor Rudy Giuliani, a lawyer for President Donald Trump, speaks during a ne...
Associated Press

Lawyer: Giuliani won’t testify Tuesday in Ga. election probe

ATLANTA (AP) — Rudy Giuliani will not appear as scheduled Tuesday before a special grand jury in Atlanta that’s investigating whether former President Donald Trump and others illegally tried to interfere in the 2020 general election in Georgia, his lawyer said. A judge last month had ordered Giuliani, a Trump lawyer and former New York […]
13 hours ago
Associated Press

US obtains warrant to seize $90M jet of Russian oligarch

NEW YORK (AP) — A judge authorized the United States on Monday to seize a $90 million jet belonging to a Russian oligarch in a continuing effort to diminish the financial pillars of the Russian government after its invasion of Ukraine. The effort to seize Andrei Skoch’s private plane, an Airbus A319-100, was part of […]
13 hours ago
Former actress Jennette McCurdy, author of the memoir "I'm Glad My Mom Died," poses for a portrait,...
Associated Press

Jennette McCurdy rises above childhood trauma with new book

Jennette McCurdy is well-aware the title of her new book, “I’m Glad My Mom Died,” (Simon & Schuster) is attention-grabbing. She also readily admits that she means every word. “It’s something that I mean sincerely, I’m not saying it to be flippant.” McCurdy, who co-starred in Nickelodeon shows “iCarly” with Miranda Cosgrove and its spin-off […]
13 hours ago
This image released by Simon & Schuster shows "I'm Glad My Mom Died," a memoir by Jennette McCurdy....
Associated Press

Jennette McCurdy rises above childhood trauma with new book

Jennette McCurdy is well-aware the title of her new book, “I’m Glad My Mom Died,” (Simon & Schuster) is attention-grabbing. She also readily admits that she means every word. “It’s something that I mean sincerely, I’m not saying it to be flippant.” McCurdy, who co-starred in Nickelodeon shows “iCarly” and its spin-off ” Sam & […]
13 hours ago

Sponsored Articles

...
Mayo Clinic Orthopedics and Sports Medicine

Why your student-athlete’s physical should be conducted by a sports medicine specialist

Dr. Anastasi from Mayo Clinic Orthopedics and Sports Medicine in Tempe answers some of the most common questions.
(Courtesy Condor)...
Condor Airlines

Condor Airlines shows passion for destinations from Sky Harbor with new-look aircraft

Condor Airlines brings passion to each flight and connects people to their dream destinations throughout the world.
...
Carla Berg, MHS, Deputy Director, Public Health Services, Arizona Department of Health Services

Update your child’s vaccines before kindergarten

So, your little one starts kindergarten soon. How exciting! You still have a few months before the school year starts, so now’s the time to make sure students-to-be have the vaccines needed to stay safe as they head into a new chapter of life.
Researchers: Chinese-made GPS tracker highly vulnerable