The Cybersecurity & Infrastructure Security Agency (CISA) released an Industrial Controls Systems Advisory (ICSA) listing six unpatched vulnerabilities that can allow threat actors remote control of vehicles that are outfitted with the MiCODUS MV720 GPS tracker systems.
The CISA Advisory (ICSA-22-200-01) warns that successful exploitation of the vulnerabilities can allow threat actors to remotely takeover any MV720 GPS tracker which can grant unauthorized access and controls to vehicle locations, fuel and oil supply, or vehicle control.
According to the MiCODUS website, the MV720 GPS tracker is a hardwired locator that provides real time location tracking and anti-theft capabilities including oil and fuel cutoff, remote control and geofencing capabilities. Features that are extremely useful, but also extremely dangerous in the wrong hands.
"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," BitSight states in their MiCODUS MV720 report. "For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways."
While the MV720 network is not available in the United States, there are reportedly more than 1.5 million trackers currently in use across approximately 420,000 customers in industries including government, miliary, law enforcement and Fortune 1000 companies.
What can companies do that are impacted by the MiCODUS MV720 GPS tracker vulnerability?
The CISA Advisory outlines recommendations including:
Minimizing network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locating control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, using secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
As of this article, MiCODUS has not made any public comments on the vulnerabilities or CISA advisory.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.