Automotive: flaws in this GPS could cause fatal accidents

Automotive flaws in this GPS could cause fatal accidents

A GPS module, used by many companies, organizations and government agencies to track their vehicles, contains critical flaws that could cause accidents. Hackers could not only track cars, but also disable them as they move.

You will also be interested


[EN VIDÉO] Kézako: how does a GPS work?
The GPS (Global Positioning System), present in many land, air and sea vehicles but also in a majority of smartphones, is now part of our daily lives. Unisciel and the University of Lille 1 explain to us, with the Kézako program, how this system works and reminds us of its history in this short didactic video.

Faults in a small GPS module could have very serious consequences. cybersecurity researchers by BitSight discovered six flaws in the MV720 manufactured by the Chinese Micodus. This little gps trackersold all over the world for around twenty dollars, is installed in cars to follow in real time the position and the speed of the vehicle and cuts off the gasoline in case of theft.

The MV720 is ordered via an online dashboard, or simply by SMS. Approximately 1.5 million modules are installed in 169 countries, and are used by government, military and police agencies, and in various industries such as aerospace, manufacturing, transportation and many others.

A hard-coded master password

Among the six faults discovered, two have a severity considered critical with a score of 9.8 out of 10. The first, CVE-2022-2141, allows certain commands to be sent to the module without any password. The second, CVE-2022-2107, allows you to connect to the online server using a password hard-coded master in the device. In addition to having access to real-time location and history, hackers could use the module to disable car alarms and even disable the vehicle in the middle of the highway by turning off the gas.

Because this module is used by industry, hackers could disable entire fleets of cargo vehicles, and military use could have national security implications in many countries. In its report, BitSight advises disabling or removing the module as much as possible, pending a possible fix. Micodus has so far not reacted to the report.

Interested in what you just read?

fs1