In this file photo, the U.S. Homeland Security Department headquarters is shown in northwest Washington DC, on Feb. 25, 2015. (AP Photo/Manuel Balce Ceneta, File)
Security experts say a popular Chinese-made automobile tracking device presents a serious risk of cyberattacks.
A cyberattack is an attack on or through a computer network.
The device, manufactured by Shenzen-based MiCODUS, is used by people worldwide to protect their vehicles from being stolen.
A report by the U.S.-based cybersecurity company BitSight has warned that the system has severe software vulnerabilities.
The issues could permit attackers to remotely hijack vehicles using the tracking device, security researchers said. This could give attackers the ability to cut off fuel or seize control of the vehicle while it is moving, BitSight said in its report.
The MV720 device costs less than $25, BitSight says. The researchers recently issued a press release that urges any users of the device to stop using it until a fix for the vulnerabilities becomes available.
BitSight’s report came as a U.S. government agency issued an official advisory that also described the device’s vulnerabilities.
BitSight told The Associated Press it had tried since September to communicate with representatives of MiCODUS to discuss the security risks it had identified. It said those attempts were not successful. BitSight said the U.S. agency investigating the device, the Cybersecurity and Infrastructure Security Agency (CISA), joined its efforts to communicate with MiCODUS in April.
The Associated Press emailed MiCODUS about the matter, but reported it did not receive an answer.
CISA said in a statement that it did not know about “any active exploitation” of the vulnerabilities.
GPS trackers are used worldwide to follow vehicle groupings, from trucks to school buses to military vehicles. The devices also act as security to prevent vehicles from getting lost or stolen.
In addition to collecting data on vehicle tracking, many devices are also equipped to examine other information about vehicle and driver actions. This information could include driver behavior and fuel usage. Many of the devices are able to control a vehicle's fuel or locking systems and more.
Using the MV720 device, BitSight said, a cyberattacker could remotely cut off the fuel line of a vehicle in motion. An attacker might also be able to see where a vehicle is in real-time for spying purposes, said BitSight researcher Pedro Umbelino.
One of the device’s main vulnerabilities is that it comes with a default password that more than 90 percent of users do not change, BitSight found. It also discovered security weaknesses in software the web server uses to control the devices over the internet.
MiCODUS claims that about 1.5 million of the devices are being used by 420,000 customers.
BitSight said its research found that among the customers were a major energy company and an aerospace company and national militaries in South America and Eastern Europe. Others included a nuclear power plant operator and a national law enforcement agency in Western Europe. BitSight did not name any of the companies. Countries with the most users included Brazil, Mexico, Spain and Russia.
Richard Clarke is a former top U.S. cybersecurity official. He told the AP that while he does not believe the device was designed to be “used maliciously by the Chinese government,” that remains a possibility.
Clarke said the threat is real because Chinese companies are required by law to follow their government’s orders. “You just wonder, how often are we going to find these things that are infrastructure – where there’s a potential for Chinese abuse – and the users don’t know?” Clarke said.
Words in This Story
track – v. to record the progress of development of something
vulnerable – adj. able to be hurt or at risk of being harmed
remotely –adv. from a distance away
exploit– v. to use or develop something for your own advantage
default– adj. what usually exists if no changes are made
customer – n. someone who buys goods and services from a business
malicious – adj. meant to harm or upset someone
infrastructure – n. the basic equipment and structures (such as roads and bridges) that are needed for a country or area
potential – n. a possibility when the necessary conditions exist