Fleet of commercial lorry trucks in row showing vehicle GPS tracker with hard-coded password vulnerabilities

Hard-coded Password in Popular Vehicle GPS Tracker Allows for User Impersonation, Remote Execution of Commands

A hard-coded password discovered in a popular brand of vehicle GPS trackers has rendered them essentially unusable, at least until (if) some sort of patch is issued.

Security firm Bitsight has cracked open the MiCODUS MV720 vehicle GPS tracker and found six separate vulnerabilities that are considered serious, at least four of which potentially allow for remote control of the device. The most severe of the bunch is a hard-coded password that allows anyone aware of it to log into the web server, impersonate the user and send the same commands to their GPS unit that legitimate users can normally send by phone.

Affordable vehicle GPS tracker too compromised to safely use

At a retail price of about $20, the MiCODUS MV720 vehicle GPS tracker is a popular device that has sold some 1.5 million units across 169 countries. It is in use in military vehicles, the fleets of Fortune 50 critical infrastructure and technology companies, and US state government cars, just to name a few known highly sensitive applications.

The primary function of the device is to allow the location of the vehicle to be tracked remotely via phone in real time, but an authorized user can also issue commands by phone (or an internet-based SMS text) to their unit. This includes remotely cutting off the fuel, disabling the vehicle in the event it is stolen.

With the hard-coded password that Bitsight has discovered in the unit, these remote abilities are now essentially available to anyone with an internet connection. And this is not the only vulnerability in the unit that potentially allows for remote takeover; it’s simply the easiest and most straightforward of the bunch.

Bitsight has shared this information with the Cybersecurity and Infrastructure Security Agency (CISA), and the groups are recommending that all consumers immediately cease use of the MiCODUS MV720. But it is possible that these flaws extend to other MiCODUS vehicle GPS tracker models, as Bitsights notes that some of the problems are in underlying architecture that units may share.

Hard-coded password makes unit too exploitable to use, but removal may be tricky

CISA has thus far assigned CVSS scores to five of the six reported vulnerabilities in the MV720 vehicle GPS tracker. Two of them, including the hard-coded password issue, have received a “critical” rating of 9.8.

In addition to the hard-coded password vulnerability, the other critical issue involves the use of SMS text commands to remotely control the device. The researchers found that not all of these commands are authenticated properly, allowing some attempts to go through without first supplying credentials. This can be done with no awareness or use of the hard-coded password.

Two other vulnerabilities were given “high” CVSS scores in the 7-point range. A cross-site scripting vulnerability was found that could trick a user into issuing a request that allows a remote attacker to gain control of the device, and another vulnerability with the main web server consists of a failure to verify arbitrary Device IDs. The final vulnerability that has been categorized, rated “medium” with a score of 6.5, found a different web server Device ID vulnerability of a similar nature.

Exploitation of the hard-coded password or the other more serious vulnerabilities could allow for remote spying on anyone using a MiCODUS MV720 vehicle GPS tracker, but it could also have much more dangerous consequences. Cutting off the fuel at the right time could cause an accident, and emergency response vehicles could potentially be disabled as well.

Removal of vehicle GPS trackers that allow remote disabling is usually not a simple matter, however, as they are usually installed by a mechanic and given access to the fuel line. Users of the MV720 will likely need professional assistance in removing the device from their vehicles. Users should not wait and rely on MiCODUS to issue a patch, as the full range of flaws may not be fixable in this way and the company has thus far not shown any indication that it plans to address the issue. MiCODUS is based in Shenzhen and thus largely beyond the legal reach of anyone outside of China.

Roger Grimes, data-driven defense evangelist at KnowBe4, is not expecting a patch (or at least not one that does not require physical access to the unit): “This example highlights many of the risks with current and future IoT devices. IoT devices are full of vulnerabilities and this will not change going into the future no matter how many of these stories come out … Let’s hope Brink’s trucks are using a different tracker. Another problem is that IoT devices are particularly hard to patch. They should all be auto-patching, but most aren’t. Most require end-user interaction, and many times a physical connection. If you think it’s hard to patch regular software, it’s ten times as hard to patch IoT devices. I’m purely guessing here, but I’d speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them. Hackers love those odds.”

The hard-coded password is reportedly included in the code of the Android app, so anyone with even a passing knowledge of programming for that device can dig it up. In addition to the inclusion of this hard-coded password, devices appear to have a standard default password of “123456” until changed by the user.

Though the warning comes from the US, MiCODUS vehicle GPS trackers are most commonly used in other countries. Mexico, Russia, and Uzbekistan reportedly have the most individual users of the devices. Russia, Morocco, and Chile have the highest total device count, indicating that they are widely used in fleets in these countries; Indonesia and Ukraine also appear to have significant fleet use.