Researchers: Chinese-made GPS tracker highly vulnerable

Jul 19, 2022, 8:17 AM | Updated: Jul 21, 2022, 3:30 pm
FILE - The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Fe...

FILE - The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Feb. 25, 2015. A popular Chinese-made automotive GPS tracker used by individuals, government agencies and companies in 169 countries has severe software vulnerabilities, posing a potential danger to life and limb, national security and supply chains, cybersecurity researchers said in a report released Tuesday, July 19, 2022, to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing six vulnerabilities. (AP Photo/Manuel Balce Ceneta, File)

(AP Photo/Manuel Balce Ceneta, File)

BOSTON (AP) — A popular Chinese-made automotive GPS tracker used in 169 countries has severe software vulnerabilities, posing a potential danger to highway safety, national security and supply chains, cybersecurity researchers have found.

A report by the Boston cybersecurity firm BitSight says the flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.

The researchers say users should immediately disable the MV720 GPS tracker until a fix becomes available. The report was released Tuesday to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing five vulnerabilities.

BitSight said it tried unsuccessfully for months — beginning in September, with CISA joining it in late April — to engage the manufacturer, Shenzen-based MiCODUS, in discussion addressing the vulnerabilities. The Associated Press telephoned and emailed the company but got no response. A person who answered a phone number listed on its website was unable to respond in English.

CISA said in a statement that it was not aware of “any active exploitation” of the vulnerabilities.

GPS trackers are used globally to monitor vehicle fleets – from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.

Using the MV720, which BitSight says costs less than $25 per unit, a malicious user could remotely cut off the fuel line of a vehicle in motion, know a vehicle’s real-time location for espionage purposes or intercept and taint location or other data to sabotage operations, said the principal BitSight researcher on the project, Pedro Umbelino.

He said multiple malicious scenarios are possible: First responders’ vehicles could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom of victims to avoid calling a mechanic.

The main vulnerabilities: The device comes with a default password that more than 90% of users don’t change, and there is second, obscure but hard-coded password that works for all devices, BitSight found. It also found security flaws in the software of the web server used to remotely manage the GPS devices.

The manufacturer, MiCODUS claims an installed base of 1.5 million devices across 420,000 customers, said BitSight. Its research found they included a Fortune 50 energy company and an aerospace company, a national military in South America and in eastern Europe, a nuclear power plant operator and a national law enforcement agency in western Europe. It did not name any of them. Countries with the most users included, by continent: Brazil, Mexico, Spain and Russia.

Richard Clarke, the former U.S. cybersecurity czar, called the insecure GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government.”

While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow their government’s orders — which is why Washington has been seeking to minimize Chinese components in U.S. telecoms networks and why some in Congress are pushing for a ban on U.S. government purchases of Chinese drones.

“You just wonder, how often are we going to find these things that are infrastructure — where there’s a potential for Chinese abuse — and the users don’t know?” said Clarke.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

Associated Press

Resilient US consumers spend slightly more in August

WASHINGTON (AP) — Consumers spent a bit more in August than the previous month, a sign the economy is holding up even as inflation lifts prices for food, rent, and other essentials. Americans boosted their spending at stores and for services such as haircuts by 0.4% in August, after it fell 0.2% in July, the […]
6 hours ago
Associated Press

Man arrested in fatal stabbing of New York City EMS worker

NEW YORK (AP) — A man has been arrested in the fatal stabbing of a veteran emergency medical worker with New York City’s fire department, police said Friday. Peter Zisopoulos, 34, was charged with murder and criminal possession of a weapon in the fatal attack on EMS Lt. Alison Russo-Elling, police said in a news […]
6 hours ago
In this photo taken by a drone, boats lie scattered amidst mobile homes after the passage of Hurric...
Associated Press

Live Updates: Strong winds in SC ahead of Hurricane Ian

The Latest on Hurricane Ian: CHARLESTON, S.C. — Strong winds were blowing early Friday morning in Charleston, South Carolina, with powerful gusts bending tree branches and sending sprays of the steadily falling rain sideways as Hurricane Ian approached. Streets were largely empty, an ordinarily packed morning commute silenced by the advancing storm. Flash flood warnings […]
6 hours ago
Marina Aina, a 21-year-old student majoring in American Studies at Pomona College, poses for photos...
Associated Press

Unpaid internships face new scrutiny as barriers to careers

The value of an internship is unmistakable. It teaches marketable skills, it builds professional networks, and it helps students test-drive careers. But the benefits are not available to all: Close to half of all internships are unpaid, putting them out of reach for students who need wages to keep up with their bills, even if […]
6 hours ago
FILE - Visitors look at cars produced by Geely at the Auto China 2020 show in Beijing on Sept. 27, ...
Associated Press

China’s Geely buys 7.6% stake in Aston Martin Lagonda

BEIJING (AP) — Geely Holding Group, one of China’s biggest independent automakers, has bought a 7.6% stake in British luxury brand Aston Martin Lagonda and said Friday it looks forward to potential opportunities to collaborate. Geely declined to give details, but Aston Martin Lagonda announced Friday it raised 654 million pounds ($730 million) from investors […]
6 hours ago
In this photo provided by the Armed Forces of Denmark, the crew in a helicopter of the Armed Forces...
Associated Press

Putin accuses the West of sabotaging Baltic Sea pipelines

COPENHAGEN, Denmark (AP) — Russian President Vladimir Putin has accused the West of sabotaging the Russia-built gas pipelines under the Baltic Sea to Germany. Speaking Friday in Moscow at a ceremony to annex four regions of Ukraine into Russia, Putin said the “Anglo-Saxons” in the West have turned from sanctions to “terror attacks,” sabotaging the […]
6 hours ago

Sponsored Articles

...
SCHWARTZ LASER EYE CENTER

Key dates for Arizona sports fans to look forward to this fall

Fall brings new beginnings in different ways for Arizona’s professional sports teams like the Cardinals and Coyotes.
...
Day & Night Air Conditioning, Heating and Plumbing

Here are 4 signs the HVAC unit needs to be replaced

Pool renovations and kitchen upgrades may seem enticing, but at the forefront of these investments arguably should be what residents use the most. In a state where summertime is sweltering, access to a functioning HVAC unit can be critical.
...
Sanderson Ford

Don’t let rising fuel prices stop you from traveling Arizona this summer

There's no better time to get out on the open road and see what the beautiful state of Arizona has to offer. But if the cost of gas is putting a cloud over your summer vacation plans, let Sanderson Ford help with their wide-range selection of electric vehicles.
Researchers: Chinese-made GPS tracker highly vulnerable