{"id":19648,"date":"2022-07-21T02:10:09","date_gmt":"2022-07-21T10:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/07\/21\/news-13381\/"},"modified":"2022-07-21T02:10:09","modified_gmt":"2022-07-21T10:10:09","slug":"news-13381","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/07\/21\/news-13381\/","title":{"rendered":"Vulnerabilities in GPS tracker could have “life-threatening” implications"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 21 Jul 2022 09:57:08 +0000<\/strong><\/p>\n

Researchers at BitSight<\/a>\u00a0have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.<\/p>\n

The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency (CISA) to publish a Security Advisory titled\u00a0ICSA-22-200-01: MiCODUS MV720 GPS Tracker<\/a>.<\/p>\n

What’s happened?<\/h2>\n

The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities. In total, there are 1.5 million of these devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.<\/p>\n

If the vulnerabilities are successfully exploited, an attacker could take control of the tracker, giving them access to location, routes, and fuel cutoff commands, as well as the ability to disarm various features like alarms. The found vulnerabilities\u00a0are very diverse and would imply that the application was not built with security in mind. Or certainly not top of mind.<\/p>\n

The vulnerabilities<\/h2>\n

Hard coded credentials<\/h3>\n

CVE-2022-2107<\/a>: The API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner\u2019s mobile number.<\/p>\n

Improper authentication<\/h3>\n

CVE-2022-2141<\/a>: SMS-based GPS commands can be executed without authentication.<\/p>\n

Improper neutralization of input during web page generation<\/h3>\n

CVE-2022-21999<\/a>: The main web server has a reflected cross-site scripting (XSS<\/a>) vulnerability that could allow an attacker to gain control by tricking a user into making a request.<\/p>\n

Authorization bypass through user-controlled key<\/h3>\n

CVE-2022-34150<\/a>: The main web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.<\/p>\n

Another authorization bypass through user-controlled key<\/h3>\n

CVE-2022-33944<\/a>: The main web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter \u201cDevice ID,\u201d which accepts arbitrary device IDs.<\/p>\n

Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.<\/p>\n

Mitigation<\/h2>\n

Since MiCODUS has not provided updates or patches to mitigate these vulnerabilities, users are advised to turn the vulnerable devices off.<\/p>\n

The researchers first contacted MiCODUS about the vulnerabilities in September 2021, and due to a lack of response CISA and BitSight decided to publish their research.<\/p>\n

The post Vulnerabilities in GPS tracker could have “life-threatening” implications<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 21 Jul 2022 09:57:08 +0000<\/strong><\/p>\n

Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device.<\/p>\n

The post Vulnerabilities in GPS tracker could have “life-threatening” implications<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[27039,27040,27041,27042,27043,22783,9298,27044,27045,1804,22983],"class_list":["post-19648","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cve-2022-2107","tag-cve-2022-2141","tag-cve-2022-21999","tag-cve-2022-33944","tag-cve-2022-34150","tag-exploits-and-vulnerabilities","tag-gps","tag-micodus","tag-mv720","tag-reports","tag-tracker"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19648"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19648\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19648"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}