Millions of vehicles worldwide could be susceptible to remote tracking and sabotage due to security flaws in a popular GPS module sold on Amazon and other online marketplaces. On Tuesday, cybersecurity firm BitSight it found six “severe” vulnerabilities in the MV720, a hardwired GPS tracker produced by Chinese electronics manufacturer Micodus. According to BitSight, the vulnerabilities are “not difficult to exploit” and may not be limited to one device.
Micodus did not respond to communication attempts by BitSight and the US Cybersecurity and Infrastructure Security Agency (CISA), meaning the company has made no effort to fix the vulnerabilities, and there are no known workarounds. Two of the six flaws are “critical” in nature. The most pressing involves a hardcoded password that a bad actor could use to send SMS commands to the MV720. Someone could use that capability to track the real-time location of a vehicle and remotely cut off its fuel supply.
The number of MV720 trackers out in the wild is hard to say. According to BitSight, approximately 1.5 million Micodus devices are in use across 169 countries. Notably, the firm found Ukraine had the most Micodus trackers of any European country. It also found evidence of use among at least five Fortune 50 companies, a US state government and a military in South America. A BitSight spokesperson there are likely “thousands” of Micodus devices in use across the United States. CISA says affected vehicle owners should remove the tracker from their cars as soon as possible.