Manufactured by MiCODUS, this GPS tracker’s software has a total of six flaws, with the most severe making it possible for malicious actors to obtain the master password, connect to the web server, and then control the GPS device remotely.
BitSight warns that once an attacker breaks into the GPS tracker, they could get access to location information in real-time, browse the routes the vehicle has been using, and even leverage the GPS data to eventually “abruptly stop vehicles on dangerous roads.”
Furthermore, the attackers could remotely disable vehicles and then demand ransoms to unlock them, the researchers warn.
The security vendor has worked together with U.S. cybersecurity agency CISA on further research that analyzes all six vulnerabilities, with the latter also issuing a warning to warn that attackers could end up being able to “disarm various [vehicle] features.”
More concerning is that parent company MiCODUS has failed to release security patches to address the vulnerabilities, even after being informed by researchers about the major implications of the bugs.
BitSight estimates that over 1.5 million MiCODUS GPS trackers are currently being used by more than 420,000 customers in the United States alone.
Without security patches, CISA recommends customers to make sure the devices aren’t accessible from the Internet, isolate them from business networks, and rely on VPNs as much as possible when remote access is required.
MiCODUS is yet to release a public advisory on the found vulnerabilities at the time of writing.