CISA Warns About Vulnerabilities in a Commonly Used GPS Tracker

On July 19, the Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities in the commonly used MiCODUS MV720 Global Positioning System (GPS) Tracker. It warned that successful exploitation of the vulnerabilities could allow a remote actor to exploit access and gain control of the GPS tracker, which could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

The vulnerabilities were reported by the cybersecurity firm BitSight Technologies. It noted that “MiCODUS is a Shenzhen, China-based manufacturer and supplier of automotive electronics and accessories which has 1.5 million GPS tracking devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.”

The CISA Advisory reports that MiCODUS had not provided updates or patches to mitigate these vulnerabilities as of July 18th, 2022. BitSight recommends that users immediately cease using or disable any affected trackers until a fix is made available because there is no known workaround.

CISA suggests the following defensive measures to minimize the risk of exploitation of these vulnerabilities:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA also recommends the following measures to protect against social engineering attacks:

• Do not click web links or open unsolicited attachments in email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

In addition to the warning about the vulnerabilities in this GPS tracker, the Advisory should serve as a reminder that a comprehensive cybersecurity program should go beyond endpoints, servers, networks, and cloud services. They should include inventories, risk assessments, security and privacy assessments, and appropriate safeguards for all technology that may impact the business or organization, including industrial control systems and Internet of Things devices. It should also serve as a reminder of the importance of keeping up with relevant threat intelligence like the Advisory.

If you have questions about the content of this alert, please contact David Ries (dries@clarkhill.com; 412.394.7787), Melissa Ventrone (mventrone@clarkhill.com; 312.360.2506), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.