Automotive: flaws in this GPS could cause fatal accidents

A GPS module, used by many companies, organizations and government agencies to track their vehicles, contains critical flaws that could cause accidents. Hackers could not only track cars, but also disable them as they move.

Faults in a small GPS module could have very serious consequences. cybersecurity researchers by BitSight discovered six flaws in the MV720 manufactured by the Chinese Micodus. This little gps trackersold all over the world for around twenty dollars, is installed in cars to follow in real time the position and the speed of the vehicle and cuts off the gasoline in case of theft.

The MV720 is ordered via an online dashboard, or simply by SMS. Approximately 1.5 million modules are installed in 169 countries, and are used by government, military and police agencies, and in various industries such as aerospace, manufacturing, transportation and many others.

A hard-coded master password

Among the six faults discovered, two have a severity considered critical with a score of 9.8 out of 10. The first, CVE-2022-2141, allows certain commands to be sent to the module without any password. The second, CVE-2022-2107, allows you to connect to the online server using a password hard-coded master in the device. In addition to having access to real-time location and history, hackers could use the module to disable car alarms and even disable the vehicle in the middle of the highway by turning off the gas.

Because this module is used by industry, hackers could disable entire fleets of cargo vehicles, and military use could have national security implications in many countries. In its report, BitSight advises disabling or removing the module as much as possible, pending a possible fix. Micodus has so far not reacted to the report.