CISA Warns About Vulnerabilities in a Commonly Used GPS Tracker

David Ries, Melissa Ventrone
Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

On July 19, the Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities in the commonly used MiCODUS MV720 Global Positioning System (GPS) Tracker. It warned that successful exploitation of the vulnerabilities could allow a remote actor to exploit access and gain control of the GPS tracker, which could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

The vulnerabilities were reported by the cybersecurity firm BitSight Technologies. It noted that “MiCODUS is a Shenzhen, China-based manufacturer and supplier of automotive electronics and accessories which has 1.5 million GPS tracking devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.”

The CISA Advisory reports that MiCODUS had not provided updates or patches to mitigate these vulnerabilities as of July 18th, 2022. BitSight recommends that users immediately cease using or disable any affected trackers until a fix is made available because there is no known workaround.

CISA suggests the following defensive measures to minimize the risk of exploitation of these vulnerabilities:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA also recommends the following measures to protect against social engineering attacks:

In addition to the warning about the vulnerabilities in this GPS tracker, the Advisory should serve as a reminder that a comprehensive cybersecurity program should go beyond endpoints, servers, networks, and cloud services. They should include inventories, risk assessments, security and privacy assessments, and appropriate safeguards for all technology that may impact the business or organization, including industrial control systems and Internet of Things devices. It should also serve as a reminder of the importance of keeping up with relevant threat intelligence like the Advisory.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide