BitSight discovered six severe vulnerabilities in the MiCODUS MV720 GPS tracker, a popular device designed for vehicle fleet management and theft protection that could allow attackers to disrupt and track vehicles, security researchers have warned.
The vulnerabilities are tracked as CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150 and CVE-2022-33944.
The MV720 is a hardwired GPS tracker, allowing for external, physical control of the device, the researchers said, adding that the exploitation of the vulnerabilities could have disastrous and even life-threatening implications.
There are many possible scenarios which could result in loss of life, property damage, privacy intrusions and threaten national security – Researcher’s statement
According to MiCODUS, 1.5 million of its GPS tracking devices are in use today. MiCODUS devices used in 169 countries by organizations including government agencies, military and law enforcement, as well as businesses in industries such as aerospace, energy, engineering, manufacturing and shipping.
Organizations and individuals using MV720 devices in their vehicles are at risk, Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.
It is recommend disabling the unit until a fix is available, it will take a long time to be produced. Onboard vehicle system isolation of critical systems with proper security controls would help prevent a catastrophic impact.