Thank You, Web Of Autos
BitSight have reported the existence of six vulnerabilities within the Micodus MV720 GPS, that corporations $20 GPS tracker for autos, they usually suspect that their different fashions share the identical issues. After all, it’s greater than only a GPS gadget as nothing appears to be bought as we speak that doesn’t have plenty of further options. With the Micodus this features a SIM card so you possibly can talk with it through smartphone and it has anti-theft gas reduce off and car shut off capabilities.
Part of the issue comes from two exhausting coded passwords used on Micodus servers which permit anybody with that password to remotely talk and monitor the GPS whereas masquerading because the respectable proprietor. After all, that’s not vital due to damaged authentication on the server which permits anybody to speak with the GPS utilizing SMS with out bothering to authenticate themselves in any respect. These are the 2 most critical safety flubs, there are 4 extra which might be barely much less terrifying.
The apparent downside is that anybody is ready to monitor your car’s actions at any time, in addition to the autos proprietor to a sure extent. The additional options on the Micodus MV720 GPS and different fashions provide some much less apparent issues. It’s doable to hook up the GPS tracker to have the ability to remotely disable a car, or to chop off the gas provide and because of these flaws a distant attacker is totally in a position to exploit these options for their very own functions. Since lots of the GPS units with these options are put in in vehicles and supply autos it’s doable a motivated attacker may disable a complete fleet of autos.
Bitsight first contacted Micodus in September, and having heard nothing again nor any proof of patches they determined to go public as we speak. Ars Technica additionally tried reaching out, and obtained the identical lack of response.