Skip to content

CISA Warns About Vulnerabilities in a Commonly Used GPS Tracker

August 1, 2022

On July 19, the Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities in the commonly used MiCODUS MV720 Global Positioning System (GPS) Tracker. It warned that successful exploitation of the vulnerabilities could allow a remote actor to exploit access and gain control of the GPS tracker, which could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

The vulnerabilities were reported by the cybersecurity firm BitSight Technologies. It noted that “MiCODUS is a Shenzhen, China-based manufacturer and supplier of automotive electronics and accessories which has 1.5 million GPS tracking devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.”

The CISA Advisory reports that MiCODUS had not provided updates or patches to mitigate these vulnerabilities as of July 18th, 2022. BitSight recommends that users immediately cease using or disable any affected trackers until a fix is made available because there is no known workaround.

CISA suggests the following defensive measures to minimize the risk of exploitation of these vulnerabilities:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA also recommends the following measures to protect against social engineering attacks:

In addition to the warning about the vulnerabilities in this GPS tracker, the Advisory should serve as a reminder that a comprehensive cybersecurity program should go beyond endpoints, servers, networks, and cloud services. They should include inventories, risk assessments, security and privacy assessments, and appropriate safeguards for all technology that may impact the business or organization, including industrial control systems and Internet of Things devices. It should also serve as a reminder of the importance of keeping up with relevant threat intelligence like the Advisory.

If you have questions about the content of this alert, please contact David Ries (dries@clarkhill.com; 412.394.7787), Melissa Ventrone (mventrone@clarkhill.com; 312.360.2506), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.

Subscribe for the latest

Subscribe

Related

Event

Webinar: Special Education Bootcamp - Compliance Foundations Under IDEA

Whether you are new to special education leadership or looking to reinforce your foundational knowledge, this interactive webinar will provide a comprehensive overview of the core compliance requirements under the Individuals with Disabilities Education Act (IDEA). Designed for school leaders who are responsible for ensuring legally sound practices, this session will offer practical tools and strategies to help participants navigate common procedural and substantive pitfalls, support sound decision-making, and build a compliant and student-centered special education program.

Explore more
Event

Telehealth Week Webinar 2025: Navigating Legal Changes and Future Trends for Healthcare Providers

Join Paul Schmeltzer, Carrie Foote, and John Howard for our one-hour annual Telehealth Week webinar, focused on the evolving legal landscape of telehealth. This session will cover key topics, including the upcoming DEA final rule on prescribing controlled substances via telehealth, federal reimbursement concerns for telehealth, and what healthcare providers need to prepare for other upcoming changes.

Explore more
Event

Webinar: The Transatlantic Tightrope: AI, ESG and the Evolving Duty of Care for Multinational Companies

Join Mariah Leffingwell and Sam Saarsteiner for a conversation, moderated by co-chair of Clark Hill’s ESG & Sustainability advisory practice, Maram Salaheldin,  that bridges the Atlantic—and the gap between innovation and accountability—as they explore how today’s duty of care must adapt to tomorrow’s technologies.

Explore more