Overview
The MiCODUS MV720 GPS tracker allows users to manage vehicles and other assets using cloud-based platforms such as web, iOS, and Android. This device uses a SIM card to transmit status and location updates and to receive remote SMS commands.
On July 19, 2022, Bitsight announced it had discovered six vulnerabilities in the MV720. These severe vulnerabilities could allow bad actors to exploit the device, resulting in:
- Injury or loss of life
- National security breaches
- Property damage
- Supply chain disruption
- Individual or fleet-wide ransomware
- Personal, business, or political surveillance and tracking
As of July 20, 2022, MiCODUS has not released a patch for these vulnerabilities. Given their major security risk, Bitsight recommends discontinuing use of the MiCODUS MV720 immediately.
Bitsight believes other MiCODUS devices may be vulnerable due to security flaws in the overall MiCODUS system architecture. Organizations using any MiCODUS GPS tracker, regardless of the model, may be at risk.
CISA has assigned CVEs to five of the six vulnerabilities:
- CVE-2022-2107
- CVE-2022-2141
- CVE-2022-2199
- CVE-2022-34150
- CVE-2022-33944
Resources
- Bitsight Blog: Bitsight Discovers Critical Vulnerabilities in Widely Used Vehicle GPS Tracker
- Bitsight Report: Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device
- CISA Advisory: ICS-CERT Advisory (ICSA-22-200-01)
What You Can Do
Disable Affected Devices
If you are directly exposed to this vulnerability, we recommend you stop using or disable all MiCODUS MV720 devices.
Collaborate with Potentially Vulnerable Third Parties
Using Internet traffic analysis, our Security Research team has compiled a list of potentially vulnerable organizations based on their use of specific ports and connections to MiCODUS infrastructure. This analysis identifies the use of these ports and connections on Internet-facing assets with a high degree of confidence; however, a positive result is not conclusive evidence of vulnerability or use of the MV720 device.
Bitsight’s analysis is available on a per-customer basis; it can be used to identify potentially vulnerable third parties in your portfolio. The analysis is available upon request as a .csv or .tsv file. To request access, contact Bitsight Support or your CSM.
Once you’ve identified your potentially vulnerable third parties, reach out to confirm whether or not they are actually vulnerable. If so, find out what actions they’re taking to mitigate risk to their organization and your own.