Researchers: Chinese-made GPS tracker highly vulnerable

Jul 18, 2022, 8:17 PM | Updated: Jul 19, 2022, 5:48 pm

FILE - The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Fe...

FILE - The U.S. Homeland Security Department headquarters in northwest Washington is pictured on Feb. 25, 2015. A popular Chinese-made automotive GPS tracker used by individuals, government agencies and companies in 169 countries has severe software vulnerabilities, posing a potential danger to life and limb, national security and supply chains, cybersecurity researchers said in a report released Tuesday, July 19, 2022, to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing six vulnerabilities. (AP Photo/Manuel Balce Ceneta, File)

(AP Photo/Manuel Balce Ceneta, File)

BOSTON (AP) — A popular Chinese-made automotive GPS tracker used in 169 countries has severe software vulnerabilities, posing a potential danger to users’ safety, national security and supply chains, cybersecurity researchers have found.

A report by the Boston cybersecurity firm BitSight says the flaws could let attackers remotely hijack device-equipped vehicles, cutting off fuel to them and otherwise seizing control while they travel.

The researchers say users should immediately disable the MV720 GPS tracker until a fix becomes available. The report was released Tuesday to coincide with an advisory from the U.S. Cybersecurity and Infrastructure Security Agency listing five vulnerabilities.

BitSight said it tried unsuccessfully for months — beginning in September, with CISA joining it in late April — to engage the manufacturer, Shenzen-based MiCODUS, in discussion addressing the vulnerabilities. The Associated Press telephoned and emailed the company but got no response. A person who answered a phone number listed on its website was unable to respond in English.

CISA said in a statement that it was not aware of “any active exploitation” of the vulnerabilities.

GPS trackers are used globally to monitor vehicle fleets – from trucks to school buses to military vehicles — and protect them against theft. In addition to collecting data on vehicle location, they typically also monitor other metrics, such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors and more.

Using the MV720, which BitSight says costs less than $25 per unit, a malicious user could remotely cut off the fuel line of a vehicle in motion, know a vehicle’s real-time location for espionage purposes or intercept and taint location or other data to sabotage operations, said the principal BitSight researcher on the project, Pedro Umbelino.

He said multiple malicious scenarios are possible: First responders’ vehicles could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom of victims to avoid calling a mechanic.

The main vulnerabilities: The device comes with a default password that more than 90% of users don’t change, and there is second, obscure but hard-coded password that works for all devices, BitSight found. It also found security flaws in the software of the web server used to remotely manage the GPS devices.

The manufacturer, MiCODUS claims an installed base of 1.5 million devices across 420,000 customers, said BitSight. Its research found they included a Fortune 50 energy company and an aerospace company, a national military in South America and in eastern Europe, a nuclear power plant operator and a national law enforcement agency in western Europe. It did not name any of them. Countries with the most users included, by continent: Brazil, Mexico, Spain and Russia.

Richard Clarke, the former U.S. cybersecurity czar, called the insecure GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government.”

While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow their government’s orders — which is why Washington has been seeking to minimize Chinese components in U.S. telecoms networks and why some in Congress are pushing for a ban on U.S. government purchases of Chinese drones.

“You just wonder, how often are we going to find these things that are infrastructure — where there’s a potential for Chinese abuse — and the users don’t know?” said Clarke.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


OpenAI's CEO Sam Altman, the founder of ChatGPT and creator of OpenAI gestures while speaking at Un...

Associated Press

ChatGPT maker downplays fears they could leave Europe over AI rules

OpenAI CEO Sam Altman on Friday downplayed worries that the ChatGPT maker could exit the European Union

16 hours ago

File - Alphabet CEO Sundar Pichai, left, and OpenAI CEO Sam Altman arrive to the White House for a ...

Associated Press

Regulators take aim at AI to protect consumers and workers

As concerns grow over increasingly powerful artificial intelligence systems like ChatGPT, the nation’s financial watchdog says it’s working to ensure that companies follow the law when they’re using AI.

3 days ago

FILE - A security surveillance camera is seen near the Microsoft office building in Beijing, July 2...

Associated Press

Microsoft: State-sponsored Chinese hackers could be laying groundwork for disruption

State-backed Chinese hackers have been targeting U.S. critical infrastructure and could be laying the technical groundwork for the potential disruption of critical communications between the U.S. and Asia during future crises, Microsoft said Wednesday.

4 days ago

FILE - President Joe Biden speaks in the East Room of the White House, May 17, 2023, in Washington....

Associated Press

White House unveils new efforts to guide federal research of AI

The White House on Tuesday announced new efforts to guide federally backed research on artificial intelligence

5 days ago

FILE - The Capitol stands in Washington D.C. (AP Photo/J. Scott Applewhite, File)Credit: ASSOCIATED...

Associated Press

What it would mean for the economy if the US defaults on its debt

If the debt crisis roiling Washington were eventually to send the United States crashing into recession, America’s economy would hardly sink alone.

6 days ago

FILE - Bryan Kohberger, left, looks toward his attorney, public defender Anne Taylor, right, during...

Associated Press

Judge enters not guilty pleas for suspect in stabbing deaths of 4 University of Idaho students

A judge entered not guilty pleas Monday for a man charged in the stabbing deaths of four University of Idaho students, setting the stage for a trial in which he could potentially face the death penalty.

7 days ago

Sponsored Articles

Internet Washington...

Major Internet Upgrade and Expansion Planned This Year in Washington State

Comcast is investing $280 million this year to offer multi-gigabit Internet speeds to more than four million locations.

Compassion International...

Brock Huard and Friends Rally Around The Fight for First Campaign

Professional athletes are teaming up to prevent infant mortality and empower women at risk in communities facing severe poverty.

Emergency Preparedness...

Prepare for the next disaster at the Emergency Preparedness Conference

Being prepared before the next emergency arrives is key to preserving businesses and organizations of many kinds.

SHIBA volunteer...

Volunteer to help people understand their Medicare options!

If you’re retired or getting ready to retire and looking for new ways to stay active, becoming a SHIBA volunteer could be for you!

safety from crime...

As crime increases, our safety measures must too

It's easy to be accused of fearmongering regarding crime, but Seattle residents might have good reason to be concerned for their safety.

Comcast Ready for Business Fund...

Ilona Lohrey | President and CEO, GSBA

GSBA is closing the disparity gap with Ready for Business Fund

GSBA, Comcast, and other partners are working to address disparities in access to financial resources with the Ready for Business fund.

Researchers: Chinese-made GPS tracker highly vulnerable