Researchers have discovered numerous zero-day bugs in the MiCODUS GPS tracker, threatening vehicle security. US CISA confirms no availability of patches, for now, and are urging users to remain careful.
GPS Tracker Zero-Day Bugs
According to a recent advisory from US CISA, the zero-day vulnerabilities in MiCODUS GPS tracker risk vehicle security. As elaborated, exploiting the flaw allows an attacker to take control of the target GPS tracker. In turn, it empowers the attacker to access location data, routes, fuel cutoff commands, and meddle with functionalities like alarms.
Specifically, these vulnerabilities caught the attention of security researchers from BitSight, who have shared the details of their study in a report.
As explained, the team observed at least six different zero-day bugs in the MiCODUS MV720 GPS tracker. It’s a commonly used hard-wired tracker for vehicle security. It offers numerous services to the users, such as GPS tracking, geofencing, remote control, and fuel cutoff. Given the critical nature of these functionalities, any cyberattacks involving this tracker directly compromise the target vehicle’s security.
Regarding the vulnerabilities, the researchers found the following six bugs.
- CVE-2022-2107 (CVSS 9.8): a critical severity vulnerability that existed due to a hard-coded master password. An attacker may exploit the flaw to directly communicate with the tracker via SMS on behalf of the tracker owner.
- CVE-2022-2141 (CVSS 9.8): an adversary could execute SMS-based commands on the GPS tracker due to improper authentication.
- CVE-2022-2199 (CVSS 7.5): a high-severity reflected XSS vulnerability existed in the tracker’s web server that an adversary may exploit by tricking the target user into making a request. Exploiting this bug could give the attacker complete control of the tracker.
- CVE-2022-34150 (CVSS 7.1): a high-severity IDOR existed on the web server endpoint and parameter device IDs, accepting arbitrary unauthenticated device IDs.
- CVE-2022-33944 (CVSS 6.5): a medium severity IDOR on the web server affecting endpoint and POST parameter device ID, accepting arbitrary device IDs.
What Next?
For now, no official patches exist for the bugs. BitSight researchers confirmed to have notified the vendors. But upon receiving no response, they contacted the CISA to expedite the matter. Still, the vendors reportedly did not respond to the CISA either, compelling a public disclosure.
Thus, in the absence of official patches, CISA urges users to remain careful, minimize network exposure, protect the control system networks and devices behind firewalls, and use the best VPN when establishing a remote connection. Moreover, they also warn users to stay wary of social engineering attacks.