Researchers have found quite a few zero-day bugs within the MiCODUS GPS tracker, threatening car safety. US CISA confirms no availability of patches, for now, and are urging customers to stay cautious.
GPS Tracker Zero-Day Bugs
In line with a latest advisory from US CISA, the zero-day vulnerabilities in MiCODUS GPS tracker danger car safety. As elaborated, exploiting the flaw permits an attacker to take management of the goal GPS tracker. In flip, it empowers the attacker to entry location knowledge, routes, gas cutoff instructions, and meddle with functionalities like alarms.
Particularly, these vulnerabilities caught the eye of safety researchers from BitSight, who’ve shared the small print of their examine in a report.
As defined, the crew noticed a minimum of six totally different zero-day bugs within the MiCODUS MV720 GPS tracker. It’s a generally used hard-wired tracker for car safety. It gives quite a few providers to the customers, resembling GPS monitoring, geofencing, distant management, and gas cutoff. Given the vital nature of those functionalities, any cyberattacks involving this tracker straight compromise the goal car’s safety.
Concerning the vulnerabilities, the researchers discovered the next six bugs.
- CVE-2022-2107 (CVSS 9.8): a vital severity vulnerability that existed on account of a hard-coded grasp password. An attacker might exploit the flaw to straight talk with the tracker by way of SMS on behalf of the tracker proprietor.
- CVE-2022-2141 (CVSS 9.8): an adversary may execute SMS-based instructions on the GPS tracker on account of improper authentication.
- CVE-2022-2199 (CVSS 7.5): a high-severity mirrored XSS vulnerability existed within the tracker’s net server that an adversary might exploit by tricking the goal person into making a request. Exploiting this bug may give the attacker full management of the tracker.
- CVE-2022-34150 (CVSS 7.1): a high-severity IDOR existed on the net server endpoint and parameter system IDs, accepting arbitrary unauthenticated system IDs.
- CVE-2022-33944 (CVSS 6.5): a medium severity IDOR on the net server affecting endpoint and POST parameter system ID, accepting arbitrary system IDs.
What Subsequent?
For now, no official patches exist for the bugs. BitSight researchers confirmed to have notified the distributors. However upon receiving no response, they contacted the CISA to expedite the matter. Nonetheless, the distributors reportedly didn’t reply to the CISA both, compelling a public disclosure.
Thus, within the absence of official patches, CISA urges customers to stay cautious, decrease community publicity, shield the management system networks and units behind firewalls, and use VPNs when establishing a distant connection. Furthermore, in addition they warn customers to remain cautious of social engineering assaults.