Car owners in 169 countries should immediately check their GPS tracker device for potential risks of remote hijackers.
Researchers of Boston-based cybersecurity firm BitSight have warned that GPS tracking model MV720 has a defection that would let attackers abruptly cut fuel of moving cars, learn about their real-time location, and spy on them. They can also intercept and manipulate location or other data to sabotage operations via the device.
The risks are severe enough that the article urged car owners to instantly disable their MV720 until the manufacturer fixes the vulnerability.
MV720 may be exploited to disable vehicles used by first responders. A hacker could turn off an engine and demand cryptocurrency from victims.
BitSight said more than 90% of users don’t change the device’s default password, whereas the second password can be hard-coded into all devices. The web server software that was used to remotely manage GPS devices also contained security flaws.
The device is produced by MiCODUS, which is based in China’s technology hub Shenzhen
According to BitSight, large energy, aerospace, and technology companies, an unnamed national government in Western Europe, and a country’s military in Eastern Europe are using the trackers. The device also comes at a cheaper price, typically under 25 dollars.
BitSight has tried to communicate with MiCODUS about the device as early as last September. The U.S. Federal Cybersecurity and Infrastructure Security Agency (CISA) also joined the effort this April, and nothing was achieved.
CISA said it had not detected any active exploitation at present.
However, Richard Clarke, the former U.S. cybersecurity czar, told the Associated Press that the stakes remain high as Chinese companies are subjected to orders by the Chinese government.
Clarke said, “You just wonder, how often are we going to find these things that are infrastructure — where there’s a potential for Chinese abuse — and the users don’t know?”