Cyber-security researchers have discovered six severe vulnerabilities in a popular Chinese-built vehicle GPS tracker, potentially allowing hackers to track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more.
Cyber-security company BitSight said the critical bugs are found in ‘MiCODUS’ GPS tracker and there are believed to be 1.5 million MiCODUS devices, across 169 countries, in use today by individual consumers, government agencies, militaries, law enforcement and corporations.
“Organisations identified using MiCODUS GPS trackers include a Fortune 50 energy, oil and gas company, a national military in South America, a Fortune 50 technology company, a nuclear power plant operator, and a state on the East Coast of the US,” the researchers said in their report late on Tuesday.
The affected GPS tracking device is manufactured by Shenzhen, China-based company MiCODUS.
Consumers, militaries, law enforcement agencies, and corporations install MiCODUS GPS trackers in vehicles to monitor real-time locations and speeds, historical routes, and to remotely cut off fuel in the event of theft.
Users access a dashboard, or use SMS text messaging, to send commands directly to deployed devices.
Each MV720 is sold for approximately $20 on Amazon, Aliexpress, Ebay, Alibaba, and other major online retailers, making it available to anyone.
“If China can remotely control vehicles in the US, we have a problem,” said Richard Clarke, national security expert and former presidential advisor on cybersecurity.
“With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind,” he added.
Civilians, politicians, business leaders, and others could be tracked without their knowledge or consent, threatening personal safety and confidentiality. Unlawful tracking is a growing privacy concern.
Bad actors could learn the travel routes of unsuspecting home or business owners, informing planned burglaries or other criminal activities, warned researchers.
“An attacker could cut fuel to a civilian’s vehicle and deploy ransomware, demanding a ransom to return the vehicle to working condition,” they added.