Popular GPS Tracker Exposes Millions to Security Risks

Research company says Chinese-made tracker exposes users to dangerous hacking

Cybersecurity researchers announced this week that the Chinese-made MiCODUS MV720 GPS tracker has six severe vulnerabilities that could, if exploited, cut off a vehicle’s fuel, physically stop it, or surveil its movement.

A report by Boston-based cybersecurity firm BitSight says that there are 1.5 million MV720 trackers used in 169 countries.  The tracker’s worldwide sales figures are staggering:  420,000 customers that include government, military, law enforcement agencies, and Fortune 1000 companies.

BitSight’s report came out at the same time that an advisory from the U.S. Cybersecurity and Infrastructure Security Agency also listed key tracker vulnerabilities.  BitSight shared its research with the agency when its vulnerability disclosure efforts to MiCODUS were disregarded, the company said.

Map shows where the 1.5 million MV720 trackers are installed worldwide (Image: BitSight)

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, a national security expert and former presidential advisor on cybersecurity, in a statement. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind.”

The MiCODUS MV720 is a hardwired GPS tracker that features anti-theft, fuel cut off, remote control and geofencing capabilities.  BitSight recommends that users “immediately cease using or disable any MiCODUS MV720 GPS trackers until a fix is made available by the company as there is no known workaround.”

The vulnerabilities the company discovered affecting the MiCODUS MV720 would allow for possible attack scenarios where “a bad actor could easily gain complete control over any GPS tracker of this type,” said Pedro Umbelino, principal security researcher at BitSight, in a statement.


Please enter your comment!
Please enter your name here