Connect with us

Hi, what are you looking for?


IoT Security

Unpatched Micodus GPS Tracker Vulnerabilities Allow Hackers to Remotely Disable Cars

Widely used vehicle GPS trackers from Micodus are affected by critical vulnerabilities that can be exploited by hackers to stalk people and remotely disable cars, according to cybersecurity company BitSight.

Widely used vehicle GPS trackers from Micodus are affected by critical vulnerabilities that can be exploited by hackers to stalk people and remotely disable cars, according to cybersecurity company BitSight.

BitSight researchers discovered the flaws last year and the company has been trying to responsibly disclose its findings to China-based GPS tracker supplier Micodus since September 2021. However, its efforts have been unsuccessful and the security holes remain unpatched.

Six vulnerabilities have been identified in the Micodus MV720 GPS tracker, which costs roughly $20 and is widely available, but BitSight believes other products from the same vendor are likely affected as well.

Micodus GPS tracker vulnerabilitiesThe vendor says 1.5 million of its tracking devices are deployed across 169 countries. The cybersecurity firm’s analysis shows that the products are used in the government, military, law enforcement, aerospace, engineering, shipping, manufacturing and other industries.

The device model analyzed by BitSight provides GPS tracking, anti-theft, fuel cut-off, geofencing and remote control capabilities. It can be controlled using commands sent via SMS or through mobile and web applications.

The product is affected by hardcoded and default password, broken authentication, cross-site scripting (XSS), and insecure direct object reference (IDOR) issues. A threat actor could use various attack vectors, including man-in-the-middle (MitM), authentication bypass through the mobile app, and reprogramming the tracker to use an attacker-controlled IP address as its API server.

In each scenario, a remote attacker could take complete control of the GPS tracker, giving them access to location and other information, and allowing them to disarm alarms and cut off fuel, BitSight warns.

The cybersecurity firm has described several possible scenarios involving exploitation of these vulnerabilities. Hackers could, for instance, stalk high-profile people, as well as regular individuals with the goal of committing a crime, such as a burglary.

Advertisement. Scroll to continue reading.

Profit-driven cybercriminals could disable a person’s car or a company’s entire vehicle fleet and demand a ransom. If a vehicle is disabled while in motion, it could have serious safety implications.

Since Micodus GPS trackers are also used by government and military organizations, exploitation of the flaws could have national security implications, BitSight warns.

BitSight could not accurately determine how many devices are in use, but monitoring connections to a Micodus server revealed more than 2.3 million connections, including 90,000 connections to the web interface port, which is believed to be a fairly accurate measurement of unique customers.

The highest number of users appear to be in countries such as Mexico, Chile, Brazil, Russia, Spain, Poland, Ukraine, South Africa and Morocco. Researchers have managed to identify some organizations using the Micodus GPS tracker, including national militaries in South America and Eastern Europe, law enforcement and government organizations in Western Europe, and a government ministry in North America.

After seeing that it could not report its findings directly to the vendor, BitSight reached out to the US Cybersecurity and Infrastructure Security Agency (CISA), which assigned five CVE identifiers to the vulnerabilities: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150 and CVE-2022-33944. CISA has also issued its own advisory

BitSight has made available technical details for each vulnerability and the company has advised Micodus customers to stop using the impacted tracker until a patch is released. Workarounds are not available, the cybersecurity firm says.

SecurityWeek has reached out to the vendor for comment and will update this article if the company responds.

Related: Honda Admits Hackers Could Unlock Car Doors, Start Engines

Related: Many GPS Tracking Services Expose User Location, Other Data

Related: Researchers Find Exploitable Bugs in Mercedes-Benz Cars

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.