With GPS now a ubiquitous part of the digital society, the act of navigation or tracking has never been easier. Location-based apps know where you are and (inevitably) what you are doing, but a widely-available vehicle tracker that retails for $20 could cause significant disruption to the supply chain.
A recent report by cybersecurity firm BitSight found at least six severe vulnerabilities in the MiCODUS MV720 tracker, with the analyst identifying a number of organizations that utilize the device as part of their ongoing business operations. According to the authors of the report, the tracker can be hacked with relative ease and could result in “loss of life, supply chain disruption, unlawful data tracking, data breach, and more.”
BitSight’s research uncovered a variety of potential access points in the MV720, all of which had the potential to allow man-in-the-middle attacks, authentication bypass and persistent (or invisible) monitoring. Exploitation of any identified vulnerabilities would allow, the report said, a malicious actor to carry out a range of activities, including but not limited to vehicle disablement, deployment of ransomware and disruption to movement within a commercial infrastructure.
Identify risk, limit exposure
There are reportedly 1.5 million devices currently in use, and the tracker Is used by both the private and public sector. Cyberattacks are an accepted part of the digital ecosystem, but there has been an increased focus on infrastructure by the black hat community in recent years.
Commenting on BitSight’s findings, Richard Clarke (a national security expert and former presidential advisor on cybersecurity) said:
“With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IOT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”
It is also worth noting that the U.S. Cybersecurity and Infrastructure Agency (CISA) also flagged up the vulnerabilities in the MV720, with the agency recommending a number of strategies to mitigate the potential for exposure.
The full findings of the report can be found here, but (at the time of writing) the manufacturer – China-based MiCODUS – has not released any patches or updates to fix the identified vulnerabilities. In the meantime, BitSight and CISA recommend that concerned users protect themselves (and their data) by taking defensive measures such as device disablement or discontinuation.
“The MiCODUS MV720 will not be the final device discovered to have critical vulnerabilities capable of threatening business operations, human safety, national security, and more” BitSight said. “The next critical vulnerability could be discovered in another GPS tracker, medical sensor, smart fire alarm, or other IOT device. [We] urge organizations to make every effort to preempt the next critical vulnerability by managing their adoption, and third party adoption, of IOT devices.”
