Tracking devices seem like a great way to manage fleet operations or even save money on auto insurance. After all, they’re commonly used to track the location of our cell phones, family, friends, and our personal vehicles. However, choosing the safest technology is critical to avoid costly cyber attacks.
Among the most popular tracking devices for fleet management and theft protection is the MiCODUS MV720 GPS. The MiCODUS server has more than 2.3 million connections in 169 countries, according to BitSight, a cybersecurity ratings company that Unison Risk Advisors has partnered with to provide our customers with insight and management tools for cyber risks. The United States ranks #2 out of all the countries in North America for having the most MiCODUS users.
Government agencies, military, and law enforcement, as well as businesses in sectors such as aerospace, energy, engineering, manufacturing, and shipping, use the MV720. This includes Fortune 50 companies and government agencies around the world.
This GPS tracker is physically connected to the vehicle. In addition to GPS tracking, the MV720 offers anti-theft, fuel cut off, remote control, and geofencing capabilities.
While impressive in its capabilities, having such a high adoption rate leaves the MV720 vulnerable to cyber attacks. In early 2022, BitSight discovered six severe vulnerabilities in the MiCODUS MV720 GPS tracker.
Among the most popular are the Man-in-the-Middle Attack and the Authentication Bypass Attack, both of which can grant a bad actor complete control over the GPS tracker. Further, a Persistent Invisible Monitoring Attack can allow the bad actor complete control over the device, and the capability to intercept monitoring information and substitute that information for incorrect location details.
- Intercepting a request made by a user to the server, gaining complete control over the device.
Authentication Bypass Attack:
- Bypassing the MV720 authentication mechanism using the device’s hardcoded password, again gives the bad actor complete control over the device.
Persistent Invisible Monitoring Attack:
- Reprogramming the GPS tracker to send monitoring information to a bad actor’s server, allowing complete control, as well as the ability to report incorrect location details.
Having complete control enables bad actors to access location information (including routes, geofences) and track locations in real-time; cut off fuel to vehicles; and disarm alarms and other features.
This exposes users to potential risks such as injury, death, national security breaches, property damage, supply chain disruption, and individual or fleet-wide ransomware.
Given the impact and severity of the vulnerabilities, Bitsight recommends that users immediately stop using or disable any MiCODUS MV720 GPS tracker until a fix is available.
If you have any questions about cyber insurance or whether your fleet may be affected, please visit our Cyber Risk page or contact us to further discuss.