Critical security vulnerabilities have been discovered in a globally-used GPS tracker, equipping hackers to track and remotely cut the engines of at least 1 million vehicles around the world.

The GPS tracker in question, Micodus MV720, has been shipped in over 1.5 million devices across 169 countries, and is used by a range of critical infrastructure suppliers, including Fortune 50 energy, oil and gas companies; a South American national military; and a nuclear power plant operator.

BitSight, the cyber security startup that discovered the vulnerabilities, claims there are six total security exposures which allow cyber criminals to "track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more."

BitSight further issued a notice to the public in an Executive Summary, warning users to immediately cease using any Micodus MV720 GPS trackers until the issue has been fixed by the manufacturer.

In similar vehicular security incidents, such as Tesla's notorious remote hacking exposure, fixes were prioritised and applied as a matter of urgency.

However, Shenzhen, China-based manufacturer Micodus shows no signs of patching its critical vulnerabilities any time soon.

In spite of the major individual and national safety implications surrounding this discovery, Micodus has remained staunchly silent thus far, leaving countless MV720 users in the dark.

A closer look

The product description for the MV720 details a range of features, including real-time location tracking, historical route playback which stores travel data for 180 days, and a remote-control feature that enables disconnection of a vehicle's oil circuit.

These features are accessible via SMS commands and a mobile phone app, which hackers can now use to execute malicious commands via the average smartphone.

Of the six Common Vulnerabilities and Exposures (CVEs) identified, two have been allocated a CVE score of 9.8, making them critical.

These critical CVEs entail severe credential and authentication flaws that enable fraudulent SMS commands to be sent to the GPS tracker, which can then execute the aforementioned remote-control features.

Pedro Umbelino, principal security researcher at BitSight, revealed in a report, "The vulnerabilities we discovered affecting the Micodus MV720 would allow for many possible attack scenarios."

One of these scenarios is an 'Authentication Bypass Attack' which involves a way to directly send SMS commands to the GPS tracker under the guise of the intended administrator, and "would give an attacker complete control of the device".

Furthermore, a range of potentially dangerous SMS commands work without requiring any password whatsoever, indicating a series of major security oversights in Micodus' system architecture.

While security professionals have routinely voiced concerns regarding the safety of Internet of Things (IoT) devices, the seemingly lackadaisical security behind this Micodus has led to healthy questioning of its other GPS models as well.

In the Bitsight report, Umbelino went on to stipulate a range of potential risks associated with the devices' vulnerabilities, including "national security breaches", "supply chain disruption", "surveillance and tracking (personal, business, political)”, and even "injury or loss of life".

Given the cascading number of critical infrastructure cyberattacks as of late, governments and security vendors across the globe are investing heavily in cyber security and the protection of infrastructure assets.

Vulnerabilities such as these garner more scrutiny and attention than ever before, as they have the capability to massively disrupt public safety, national security, and the ongoing operations of critical services.

"Repeated attempts" to share information regarding this discovery have been made by BitSight and the US Department of Homeland's Cybersecurity and Infrastructure Security Agency, but were reportedly disregarded by Micodus