A U.S. cybersecurity company says a GPS (Global Positioning System) location tracker for a Chinese-made vehicle used in 169 countries has serious software security flaws that pose a potential threat to road safety, national security and supply chains. The U.S. government’s cybersecurity department also issued an announcement at the same time, warning about the security problems of this GPS device. The Shenzhen-based company that made the device expressed surprise that their product was being watched, saying they were just a commercial company and “not involved in any political issues.” ”
Boston cybersecurity firm BitSight reported Tuesday (July 19) that the flaws could allow attackers to remotely hijack vehicles equipped with the devices, cut off the vehicle’s fuel supply or control the vehicle in motion.
The researchers say that before the solution comes out, users should immediately uninstall the GPS tracker with model MV720. At the same time as the private company’s cybersecurity report was released, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also issued an announcement listing five security risks for the device.
BitSight said the company has tried to contact the maker of the device, Shenzhen MiCODUS, since September last year to discuss how to address the security vulnerabilities, but has not been successful for months. CISA stepped in in April.
Leo, the head of Midas, told VOA via Skype on Wednesday (July 20) that last year there was a problem with people calling themselves BitSight emailing them about security breaches, but he could not confirm the identity of the other party, plus no one in the same industry encountered a similar situation, so he always thought it was spam and did not pay attention.
He said: “If there is a loophole, we will check and fill in the gaps, and we will improve the problem.” ”
CISA said in a statement that it had not yet seen any exploitability of the security implications.
GPS trackers are widely used around the world to locate and track a variety of vehicles – including trucks, school buses and military vehicles – to prevent vehicle theft. In addition to collecting vehicle location data, these trackers often monitor other parameters such as driver behavior and fuel usage. After installation, many devices can also remotely cut off the vehicle’s fuel supply and alarms, control the locking and unlocking of the doors, and so on.
Pedro Umbelino, lead author of the BitSight report, said that with the MV720 tracker installed in the vehicle, malicious users can remotely cut off the fuel supply of the vehicle in motion, know the vehicle’s real-time location for monitoring, or deliberately disrupt the operation of the vehicle by intercepting and modifying the location or other data. BitSight says the GPS tracker sells for less than $25.
Amberino said there could be multiple malicious scenarios: First responders’ vehicles could be paralyzed, or hackers could shut down the engines and then threaten victims with a cryptocurrency ransom if they didn’t want to pay someone to fix the car.
The main security risk discovered by BitSight is that the device comes with a default password, and more than 90% of users will not change the password; And there’s a complex but hard-coded hard-code that works for all devices. BitSight’s report also found that the software used to remotely manage the web servers of GPS devices also had security flaws.
BitSight said producer Midas claims 420,000 customers have installed 1.5 million of their GPS devices, and their findings include a Fortune 50 energy company, an aerospace company, state military agencies in South America and Eastern Europe, a nuclear power plant operator, and a state law enforcement agency in Western Europe. The report does not list the names of these institutions. The countries with the most device users include Brazil, Mexico, Spain and Russia, the report said.
Michaels Rio told VOA that he didn’t know where the data in the report came from. He insisted that the MV720 model sold no more than 100,000 units, and that all of the company’s products combined did not have more than 1 million units. “The most confusing thing is why we are eyeing this product of our company, which is a dime in sales in the same industry, or even talked about,” he said.
The Associated Press report quoted Richard Clarke, a former special adviser to the U.S. president on cybersecurity, as saying the insecure GPS device was another example of a Smart Product made in China that “transmits data and can be maliciously exploited by the Chinese government.”
Rio, the head of Midas, said they were just a commercial company and “didn’t get involved in any political issues, so far, no government person or agency forced us to do anything.” ”
He said the company welcomes any comments and feedback from any customer or a cybersecurity company like BitSight on any security issue, but hopes that “it’s all good faith, not bad faith.” ”
Clark doesn’t feel the location-tracking device was designed for malicious purposes, but he thinks the threat is real because Chinese companies are legally obligated to comply with their administration’s orders — which is why Washington has been seeking to minimize the use of Chinese components in U.S. telecommunications networks and why some members of Congress have insisted on banning the U.S. from buying Chinese drones.
- VOA Report