The CISA details that successfully exploiting vulnerabilities in your GPS tracking system may cause major issues as attackers can remotely disrupt critical vehicle operations. They may be able to gain control of the GPS of over 1.5 million vehicles and exploit them.
These vulnerabilities are apparent in the China-based MiCODUS, which is available for sale for only $20. The tracking device of this company is used in many major organizations in 169 countries worldwide. Furthermore, it is used in various different fields such as government, engineering, manufacturing, energy, nuclear power plant, shipping sector, etc.
The issue came to light through a security audit conducted by BitSight. They concluded that attackers could abuse the access to GPS systems by using them to track individuals without their consent or knowledge. Hackers could also use them to disable vehicles.
These vulnerabilities may also pose national security implications as militaries and law enforcement use MiCODUS for tracking and real-time monitoring. Therefore, the attackers who gain access to the GPS system could possibly gather information regarding supply routes, regular troop movement, and recurring patrols.
There was a list of other flaws also found in MiCODUS, which, coupled with the unpatched GPS, may cause its weaponization. It would be well within the attacker’s capabilities to gain access to certain locations, access location routes, deploy fuel cutoff commands and disarm certain alarms.
As there is no solution now, users are advised to minimize their use of the GPS or disable it all together until the company can find a solution to secure themselves against attackers who may disrupt vehicles remotely.