"Security Flaws in a Popular GPS Tracker Are Exposing a Million Vehicle Locations"
New research reveals security flaws in a popular Chinese-made GPS vehicle tracker. The exploitation of these vulnerabilities can allow threat actors to track and remotely cut the engines of at least a million vehicles worldwide. BitSight, a cybersecurity startup, discovered six vulnerabilities in the MV720, a hardwired GPS tracker manufactured by Micodus, a Shenzhen-based electronics manufacturer. Micodus claims that more than 1.5 million GPS trackers are in use today by over 420,000 customers worldwide, including companies with fleets of vehicles, law enforcement agencies, militaries, and national governments. BitSight also discovered the GPS trackers being used by Fortune 500 companies and a nuclear power plant operator. Given the severity of the bugs and the lack of a fix, BitSight and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) both advised vehicle owners to remove the devices as soon as possible to mitigate the risk. Some of the flaws are in the GPS tracker itself, while others are in the web dashboard that customers use to monitor their fleets. The most severe flaw is a hardcoded password that can be used to gain complete control of any GPS tracker, access to vehicles' real-time location and past routes, and remotely cut off fuel to vehicles. Because the password is embedded directly in the code of the Android app, anyone can search for it. This article continues to discuss the potential impact and exploitation of the security flaws in the MV720 GPS tracker.