Researchers: Chinese-made GPS tracker highly vulnerable

Jul 19, 2022, 8:17 AM | Updated: Jul 21, 2022, 3:30 pm

BOSTON (AP) — A popular Chinese-made automotive GPS tracker used in 169 countries has severe software vulnerabilities, posing a potential danger to highway safety, national security and supply chains, cybersecurity researchers have found.

A report by the Boston cybersecurity firm BitSight says the flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.

The researchers say users should immediately disable the MV720 GPS tracker until a fix becomes available. The report was released Tuesday to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing five vulnerabilities.

BitSight said it tried unsuccessfully for months — beginning in September, with CISA joining it in late April — to engage the manufacturer, Shenzen-based MiCODUS, in discussion addressing the vulnerabilities. The Associated Press telephoned and emailed the company but got no response. A person who answered a phone number listed on its website was unable to respond in English.

CISA said in a statement that it was not aware of “any active exploitation” of the vulnerabilities.

GPS trackers are used globally to monitor vehicle fleets – from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.

Using the MV720, which BitSight says costs less than $25 per unit, a malicious user could remotely cut off the fuel line of a vehicle in motion, know a vehicle’s real-time location for espionage purposes or intercept and taint location or other data to sabotage operations, said the principal BitSight researcher on the project, Pedro Umbelino.

He said multiple malicious scenarios are possible: First responders’ vehicles could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom of victims to avoid calling a mechanic.

The main vulnerabilities: The device comes with a default password that more than 90% of users don’t change, and there is second, obscure but hard-coded password that works for all devices, BitSight found. It also found security flaws in the software of the web server used to remotely manage the GPS devices.

The manufacturer, MiCODUS claims an installed base of 1.5 million devices across 420,000 customers, said BitSight. Its research found they included a Fortune 50 energy company and an aerospace company, a national military in South America and in eastern Europe, a nuclear power plant operator and a national law enforcement agency in western Europe. It did not name any of them. Countries with the most users included, by continent: Brazil, Mexico, Spain and Russia.

Richard Clarke, the former U.S. cybersecurity czar, called the insecure GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government.”

While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow their government’s orders — which is why Washington has been seeking to minimize Chinese components in U.S. telecoms networks and why some in Congress are pushing for a ban on U.S. government purchases of Chinese drones.

“You just wonder, how often are we going to find these things that are infrastructure — where there’s a potential for Chinese abuse — and the users don’t know?” said Clarke.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Republican presidential candidates, former New Jersey Gov. Chris Christie, left, talking with forme...

Associated Press

The GOP debate field was asked about Trump. But most of the stage’s attacks focused on Nikki Haley

The four Republican presidential candidates debating Wednesday night mostly targeted each other instead of Donald Trump.

4 days ago

Law enforcement officers head into the University of Nevada, Las Vegas, campus after reports of an ...

Associated Press

Police say 3 dead, fourth wounded and shooter also dead in University of Nevada, Las Vegas attack

Police said a suspect was found dead Wednesday as officers responded to an active shooter and reports of multiple victims at UNLV.

4 days ago

President Joe Biden's son, Hunter Biden, leaves after a court appearance, July 26, 2023, in Wilming...

Associated Press

Republicans threaten contempt proceedings if Hunter Biden refuses to appear for deposition

House Republicans are threatening to hold Hunter Biden in contempt if he does not show up this month for a closed-door deposition.

4 days ago

Sen. Tommy Tuberville, R-Ala., listens to a question during a news conference, March 30, 2022, in W...

Associated Press

Tuberville is ending blockade of most military nominees, clearing way for hundreds to be approved

Sen. Tommy Tuberville announced Tuesday that he's ending his blockade of hundreds of military promotions, following heavy criticism.

5 days ago

An employee works inside the Hanwha Qcells Solar plant on Oct. 16, 2023, in Dalton, Ga. On Tuesday,...

Associated Press

US job openings fall to lowest level since March 2021 as labor market cools

U.S. employers posted 8.7 million job openings in October, the fewest since March 2021, in a sign that hiring is cooling.

5 days ago

Megyn Kelly poses at The Hollywood Reporter's 25th annual Women in Entertainment Breakfast, Dec. 7,...

Associated Press

The fourth GOP debate will be a key moment for the young NewsNation cable network

By airing the fourth Republican presidential debate, NewsNation network will almost certainly reach the largest audience in its history.

5 days ago

Sponsored Articles

Follow @KTAR923...

The best ways to honor our heroes on Veterans Day and give back to the community

Veterans Day is fast approaching and there's no better way to support our veterans than to donate to the Military Assistance Mission.

Follow @KTAR923...

The 2023 Diamondbacks are a good example to count on the underdog

The Arizona Diamondbacks made the World Series as a surprise. That they made the playoffs at all, got past the Milwaukee Brewers in the NL Wild Card round, swept the Los Angeles Dodgers in the NLDS and won two road games in Philadelphia to close out a full seven-game NLCS went against every expectation. Now, […]



Key dates for Arizona sports fans to look forward to this fall

Fall brings new beginnings in different ways for Arizona’s professional sports teams like the Cardinals and Coyotes.

Researchers: Chinese-made GPS tracker highly vulnerable