Chinese-Made Vehicle GPS Tracker Has ‘Severe Vulnerabilities’: Report

Chinese-Made Vehicle GPS Tracker Has ‘Severe Vulnerabilities’: Report
Vehicles are driven along the I-95 in Miami, Fla., on June 30, 2022. Joe Raedle/Getty Images
Updated:
0:00

A popular Chinese-made automotive GPS tracker used in 169 countries has “severe vulnerabilities,” posing a potential danger to highway safety, national security, and supply chains, according to new research by a Boston-based cybersecurity firm.

BitSight said in a press release it discovered six “severe” flaws in the MV720 GPS tracker, a hardwired device manufactured by Chinese company MiCODUS.
If exploited in an attack, the flaws could allow “threat actors” to seize control of device-equipped vehicles remotely, cutting off fuel while a vehicle is in motion, or surveilling its movements, according to the BitSight report published on July 19. BitSight researchers noted that 1.5 million such GPS tracking devices are currently in use by companies and individuals.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued warnings about the devices’ flaws on Tuesday. The agency said it wasn’t aware that “public exploits specifically target these vulnerabilities.”

U.S. cybersecurity expert Richard Clarke expressed concern about the Chinese regime.

“If China can remotely control vehicles in the United States, we have a problem,” Clarke said in the press release.

BitSight said the efforts to engage with the Shenzhen-based manufacturer MiCODUS to discuss the GPS tracker’s vulnerabilities—beginning in September last year, with CISA joining it in late April—all failed.

The Epoch Times reached out to MiCODUS for comment on the BitSight report. A sales manager responded in an email, stating that the MV720 is “a common vehicle GPS tracker” and the company “never used this product to do any illegal actions.”

‘Not Difficult to Exploit’

GPS trackers are used globally to monitor vehicle fleets–from trucks to school buses to military vehicles—and protect them against theft. In addition to collecting data on vehicle location, they typically monitor other metrics such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors, and more.

But the vulnerabilities in the affected device could also allow hackers to gain control of the vehicle. For example, a bad actor could “track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, [and] abruptly stop civilian vehicles on dangerous highways,” according to the BitSight report.

An engineering student takes part in a hacking challenge near Paris on March 16, 2013. (Thomas Samson/AFP via Getty Images)
An engineering student takes part in a hacking challenge near Paris on March 16, 2013. Thomas Samson/AFP via Getty Images

“Unfortunately, these vulnerabilities are not difficult to exploit,” said Pedro Umbelino, the principal BitSight researcher on the project. He said multiple malicious scenarios are possible. For example, a victim’s vehicle could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom from victims to avoid calling a mechanic.

The researchers listed key users of the GPS trackers, including a Fortune 50 energy company, a national military in South America, a government in Western Europe, and a national military in Eastern Europe. The report didn’t provide entity names.

BitSight researchers urged users to immediately disable the MV720 GPS tracker, which is available on major online retailers and costs less than $25 per unit, until “a fix is made available by the company.”

Clarke called the GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government.”

While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow the Chinese Communist Party’s orders—which is why Washington has been seeking to minimize Chinese components in U.S. telecoms networks, and why some U.S. lawmakers are pushing for a ban on U.S. government purchases of Chinese drones.

“You just wonder, how often are we going to find these things that are infrastructure—where there’s a potential for Chinese abuse—and the users don’t know?” Clarke told The Associated Press.

Luo Ya and The Associated Press contributed to this report.