The Cybersecurity & Infrastructure Security Agency (CISA) released an Industrial Controls Systems Advisory (ICSA) listing six unpatched vulnerabilities that can allow threat actors remote control of vehicles that are outfitted with the MiCODUS MV720 GPS tracker systems.
The CISA Advisory (ICSA-22-200-01) warns that successful exploitation of the vulnerabilities can allow threat actors to remotely takeover any MV720 GPS tracker which can grant unauthorized access and controls to vehicle locations, fuel and oil supply, or vehicle control.
According to the MiCODUS website, the MV720 GPS tracker is a hardwired locator that provides real time location tracking and anti-theft capabilities including oil and fuel cutoff, remote control and geofencing capabilities. Features that are extremely useful, but also extremely dangerous in the wrong hands.
“The exploitation of these vulnerabilities could have disastrous and even life-threatening implications,” BitSight states in their MiCODUS MV720 report. “For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways.”
While the MV720 network is not available in the United States, there are reportedly more than 1.5 million trackers currently in use across approximately 420,000 customers in industries including government, miliary, law enforcement and Fortune 1000 companies.
What can companies do that are impacted by the MiCODUS MV720 GPS tracker vulnerability?
The CISA Advisory outlines recommendations including:
- Minimizing network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locating control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, using secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
As of this article, MiCODUS has not made any public comments on the vulnerabilities or CISA advisory.
Related Links
- BitSight – Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720)
- CISA ICS Advisory (ICSA-22-200-01) – MiCODUS MV720 GPS Tracker
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected].
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.
