This GPS tracker is physically connected to the vehicle. In addition to GPS tracking, the MV720 offers anti-theft, fuel cut off, remote control, and geofencing capabilities.
While impressive in its capabilities, having such a high adoption rate leaves the MV720 vulnerable to cyber attacks. In early 2022, BitSight discovered six severe vulnerabilities in the MiCODUS MV720 GPS tracker.
Among the most popular are the Man-in-the-Middle Attack and the Authentication Bypass Attack, both of which can grant a bad actor complete control over the GPS tracker. Further, a Persistent Invisible Monitoring Attack can allow the bad actor complete control over the device, and the capability to intercept monitoring information and substitute that information for incorrect location details.
- Intercepting a request made by a user to the server, gaining complete control over the device.
Authentication Bypass Attack:
- Bypassing the MV720 authentication mechanism using the device’s hardcoded password, again gives the bad actor complete control over the device.
Persistent Invisible Monitoring Attack:
- Reprogramming the GPS tracker to send monitoring information to a bad actor’s server, allowing complete control, as well as the ability to report incorrect location details.
Having complete control enables bad actors to access location information (including routes, geofences) and track locations in real-time; cut off fuel to vehicles; and disarm alarms and other features.
This exposes users to potential risks such as injury, death, national security breaches, property damage, supply chain disruption, and individual or fleet-wide ransomware.
Given the impact and severity of the vulnerabilities, Bitsight recommends that users immediately stop using or disable any MiCODUS MV720 GPS tracker until a fix is available.
If you have any questions about cyber insurance or whether your fleet may be affected, please visit our Cyber Risk page or contact us to further discuss.