Thank You, Internet Of Vehicles
BitSight have reported the existence of six vulnerabilities in the Micodus MV720 GPS, that companies $20 GPS tracker for vehicles, and they suspect that their other models share the same problems. Of course, it is more than just a GPS device as nothing seems to be sold today that doesn’t have a number of extra features. With the Micodus this includes a SIM card so you can communicate with it via smartphone and it has anti-theft fuel cut off and vehicle shut off capabilities.
A part of the problem comes from two hard coded passwords used on Micodus servers which allow anyone with that password to remotely communicate and track the GPS while masquerading as the legitimate owner. Of course, that is not necessary thanks to broken authentication on the server which allows anyone to communicate with the GPS using SMS without bothering to authenticate themselves at all. Those are the two most serious security flubs, there are four more that are slightly less terrifying.
The obvious problem is that anyone is able to track your vehicle’s movements at any time, as well as the vehicles owner to a certain extent. The extra features on the Micodus MV720 GPS and other models offer some less obvious problems. It is possible to hook up the GPS tracker to be able to remotely disable a vehicle, or to cut off the fuel supply and thanks to these flaws a remote attacker is fully able to exploit those features for their own purposes. Since many of the GPS devices with these features are installed in trucks and delivery vehicles it is possible a motivated attacker could disable an entire fleet of vehicles.
Bitsight first contacted Micodus in September, and having heard nothing back nor any evidence of patches they decided to go public today. Ars Technica also tried reaching out, and received the same lack of response.