Six vulnerabilities in a popular GPS tracking device could allow malicious hackers to secretly track, disrupt or even remotely shut off vehicles, federal cybersecurity officials warned Tuesday.
“Successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands and the disarming of various features (e.g., alarms),” according to the Cybersecurity and Infrastructure Security Agency.
The Chinese-made tracker in question is known as the MiCODUS MV720 GPS tracker. It’s used across the globe by consumers and businesses alike seeking theft protection and location management, according to the cybersecurity company BitSight, which discovered the problem earlier this year and notified CISA. BitSight and CISA collaborated on the vulnerability alert.
Government, military and law enforcement agencies as well as corporations spanning a variety of industries such as aerospace, energy, engineering, manufacturing and shipping rely on the MiCODUS tracker, BitSight said in a press release.
Security and privacy experts have long complained about GPS trackers putting people at risk due to built-in vulnerabilities. Additionally, devices such as the Apple AirTag have been used to track people without their consent. A Connecticut man was arrested and charged with stalking in February after police found an AirTag in his ex-girlfriend’s car. Law enforcement in multiple states have issued warnings alerting the public to how criminals can deploy AirTags.
Experts say the vulnerabilities in easily available GPS trackers are not that surprising because many inexpensive, internet-connected devices are built on insecure code and outdated software.
Ron Brash, a GPS hacking expert and a CTO with the software security company aDolus Technology, said many manufacturers sell devices such as GPS trackers without updating security settings or patching existing vulnerabilities.
Most consumers prioritize price over quality, he said, a reality that has led to a vast number of vulnerable and insecure devices such as MiCODUS being in use today.
“Most internet of trash devices are insecure on their own; it’s just how you use it and in what context where the where the dangers start to arise,” said Brash. “This is just the tip of the iceberg … There’s so many dead bodies or skeletons in most embedded products.”
There are 1.5 million MiCODUS 720 devices now in use across 169 countries, according to BitSight. Organizations using the trackers include a Fortune 50 energy, oil and gas company; a national military in South America; a Fortune 50 technology company; a nuclear power plant operator; and state officials in the U.S., according to BitSight.
The insecurity of GPS trackers carries serious national security implications, too, given that some cars in the U.S. are outfitted with tracking devices that Chinese military officials could conceivably shut down.
“If China can remotely control vehicles in the United States, we have a problem,” Richard Clarke, a former presidential adviser on cybersecurity, said in a prepared statement included in the BitSight press release. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind.”