• chevron_right

      Critical Vulnerabilities in GPS Trackers / Schneier · Thursday, 21 July, 2022 - 13:36 · 1 minute

    This is a dangerous vulnerability:

    An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720 , a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

    BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

    The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after trying for months to privately engage with the manufacturer. As of the time of writing, all of the vulnerabilities remain unpatched and unmitigated.

    These are computers and computer vulnerabilities, but because the computers are attached to cars, the vulnerabilities become potentially life-threatening. CISA writes :

    These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

    I wouldn’t have buried “vehicle control” in the middle of that sentence.

    • chevron_right

      Millions of GPS devices at risk from FCC-approved 5G network, military says

      Jon Brodkin · / ArsTechnica · Friday, 8 May, 2020 - 16:37

    Department of Defense CIO Dana Deasy sitting at a table while testifying at a Senate hearing.

    Enlarge / Dana Deasy, Department of Defense Chief Information Officer, testifies during a Senate Armed Services Committee hearing on May 6, 2020 in Washington, DC. (credit: Getty Images)

    GPS is facing a major interference threat from a 5G network approved by the Federal Communications Commission, US military officials told Congress in a hearing on Wednesday .

    In testimony to the Senate Committee on Armed Services, Department Of Defense Chief Information Officer Dana Deasy disputed the FCC's claims that conditions imposed on the Ligado network will protect GPS from interference.

    When the FCC approved Ligado's plan last month, the agency required a 23MHz guard band to provide a buffer between the Ligado cellular network and GPS. Deasy argued that this guard band won't prevent interference with GPS signals:

    Read 15 remaining paragraphs | Comments