back to article Security flaws in GPS trackers can be abused to cut off fuel to vehicles, CISA warns

A handful of vulnerabilities, some critical, in MiCODUS GPS tracker devices could allow criminals to disrupt fleet operations and spy on routes, or even remotely control or cut off fuel to vehicles, according to CISA. And there's no fixes for these security flaws. Two of the bugs received a 9.8 out of 10 CVSS severity rating. …

  1. Anonymous Coward
    Anonymous Coward

    Remember folks ...

    "never attribute to malice that which is adequately explained by stupidity."

    Oh, wait, this is business related. Substitute 'cupidity'.

    1. ecofeco Silver badge

      Re: Remember folks ...

      Indubitably.

  2. M.V. Lipvig Silver badge
    Joke

    And might this system

    be used on any armoured vehicles used for transporting rather large amounts of cash for banks? Asking for a friend...

  3. Pascal Monett Silver badge
    WTF?

    Cut off fuel ?

    It's a GPS. What the hell does that have to do with how the vehicle functions ?

    I don't care that it's a tracker, the only thing it needs is power from the battery. It has nothing to do on the CAN bus.

    But of course, as in all the stupid things people do, they've linked it to the CAN bus.

    Morons.

    1. Giles C Silver badge

      Re: Cut off fuel ?

      Anti theft - if reported as stolen then stop it running?

      You would hope it isn’t possible to do this whilst it is moving, which is what it seems to be able to do. In that case it is a very stupid design.

      I mean how hard it is to write a routine that shuts down fuel when speed = 0

    2. Anonymous Coward
      Anonymous Coward

      Re: Cut off fuel ?

      The idea is someone steals your, you get an alarm because it's started and moved, you known where it is, and you can cut off the fuel supply so the car stops.

      All for $25 - almost a free lunch.

      1. Mike 137 Silver badge

        Re: Cut off fuel ?

        " you can cut off the fuel supply so the car stops"

        and gets demolished by a rear ender from a big truck that your tracker couldn't see, possibly precipitating a multiple pile-up with numerous casualties.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cut off fuel ?

          > and gets demolished by a rear ender from a big truck that your tracker couldn't see, possibly precipitating a multiple pile-up with numerous casualties.

          That's one scenario. Another is simply that the fuel is cut-off when parked - e.g. busses / coaches parked-up overnight at the depot have their fuel cut off to deter joy riders; or farm machinery disabled when not in use to deter theft.

    3. Kevin McMurtrie Silver badge

      Re: Cut off fuel ?

      It's GPS tracker, shock sensor, and a solid state relay on a cellular connected processor The relay is normally configured to cut or reduce fuel pump power if the vehicle is out of geo-fencing, speeding, or stolen.

      I won't buy a new car if the dealership has installed an anti-theft system. It guarantees you're eventually stranded on the side of the road ripping off interior panels to find an amateur's hidden wire splices, or now, an exploitable cellular tracker.

    4. FlamingDeath Silver badge

      Re: Cut off fuel ?

      Hopefully nobody does something stupid like connect power stations to the public internet…..

      …….

      …..

      .

      Let’s face it folks, the lunatics are in charge of the asylum. I’m drawing conclusions here, quit developing before it’s too late, because clearly asking those pertinent questions of “can I”, “should I” and “what if” is beyond some peoples thought process, assuming there are any thought processes to begin with.

      I despair

      1. Evil Auditor Silver badge

        Re: Cut off fuel ?

        I lost all hope when realising how many fellow IT guys have had the attitude "There's a fridge connected to the internet? Take my money!" Or maybe I'm just part of the stupid section of IT...

        1. ecofeco Silver badge

          Re: Cut off fuel ?

          There are a lot of savants in I.T. A LOT.

    5. Anonymous Coward
      Anonymous Coward

      Re: Cut off fuel ?

      > It's a GPS.

      Nope. It's a device that includes a GPS along with other components.

      > What the hell does that have to do with how the vehicle functions ?

      That's been more than adequately explained below.

      I cannot speak for this particular product, which I'd never heard of, but I helped design and run one of the first devices of this kind, complete with remote cut off, nearly thirty years ago. Needless to say we were well aware of what happens when you trip a relay that shuts off the fuel supply to the engine, having tested the thing ourselves.

  4. Totally not a Cylon Silver badge
    WTF?

    Totally not an issue!

    I've got one of these, the device itself communicates with the server over GSM.

    It's the software running on the server end which may have an issue, BUT there is a very good Open Source Software server which runs on everything inlcuding a Raspberry Pi.

    This is only an issue if using some closed source server software from China.

    On the other hand these and their clones are great units, which can do a lot more than just vehicle location....

    1. ruskie

      Re: Totally not an issue!

      Umm I have one of these - haven't installed it yet. But having read the security issues - you are not safe because you're using traccar or any other open source solution for this.

      The issue is that they have a hardcoded password in the firmware on the device, that can be accessed by SMS, it's also apparently possible to fake the SMS originating from the controlling phone number. Sure some things are probably only an issue if using the original server.

      So I would be careful. Now if someone has an open source firmware for them - I'd be all for that.

    2. Smeagolberg

      Re: Totally not an issue!

      >This is only an issue if using some closed source server software from China.

      Or from... No... the US would never do such things... they're squeaky clean...

  5. Mike 137 Silver badge

    So basic ---- still!

    Hard coded passwords and failure to validate requests. What could be more bleeding obvious? And yet we're still suffering from the same incompetent pseudo-engineering as we have for a couple of decades. The only difference is that it's becoming ever more critical as it's applied to increasingly hazardous situations.

    1. EnviableOne Silver badge

      Re: So basic ---- still!

      I am starting to wonder wy OWASP publish the top 10, the original and latest are for the want of a bit of re-phrasing the same issues

  6. Anonymous Coward
    Anonymous Coward

    How GPS works

    Every time I'm discussing GPS functionalities with people, I'm baffled they all believe a GPS device is meant to tell the world where it is or can't work with no mobile data !

    But no, GPS is passive, it's only some add-ons that make it connected, tell the world where you are/drive, and be a target.

    Thankfully, my good old TomTom Premium X can be used as a 100% passive device, doesn't need mobile data or any such non sense.

    And, it can move from car to car !

    I don't need those vulnerable gadgets that often require a car dealer to update.

    1. Anonymous Coward
      Anonymous Coward

      Re: How GPS works - but not GPS DEvices

      There aren't many devices left that don't at least receive radio data and all cars now have ecall trackers and mobile connection builtin supposedly "so they can send an emergency signal in case of accident".

      Obviously an ideal system for governments and organisations to monitor and eventually control everything that happens in a car especially now electric cars are all fly-by-wire and fully integrated with junk like Android or IOS.

      Now what is that they say about no cars allowed at weekends - easy-peasy - empty roads just for the "Special Ones"

      Funny that no-one was allowed any say in this, but they do let us play games pretending we have some say over privacy with these hilarious meaningless cookie popups.

      1. veti Silver badge

        Re: How GPS works - but not GPS DEvices

        all cars now have ecall trackers and mobile connection builtin

        Citation needed. My car doesn't.

        Now what is that they say about no cars allowed at weekends

        I have no idea, what do "they" say about it? Nobody - literally not one person - has said it to me, whatever it is.

        Funny that no-one was allowed any say in this

        Any say in what, exactly? Please be more specific and include citations in your paranoid ranting, then at least we'll know what you're talking about.

    2. Anonymous Coward
      Anonymous Coward

      Re: How GPS works

      A GPS intended for foiling car theft is a different bird. But you wouldn't need to have it "connected" (or even "on") while YOU were driving. And actually it wouldn't need to connect unless the car was moved without alarm being disabled.

  7. Flywheel

    If you don't trust the particular version in question there are dozens more with unintelligible names on Amazon. No surprise there either.

    1. J. Cook Silver badge

      ... and all probably running the same (bad) code, or worse on them.

  8. Doctor Syntax Silver badge

    Make type approval a requirement for any such attachment that can affect the safety of the vehicle.

  9. iron Silver badge
    FAIL

    Very useful CVE links form the author there - they all say "CVE ID Not Found!"

  10. J. Cook Silver badge
    Joke

    There's no mandatory rule that users change the default password, which ships as "123456," on the devices

    That's the same password as my luggage!

    1. Korev Silver badge
      Joke

      I’m still wondering how they managed to guess the root password on all my servers…

  11. ecofeco Silver badge

    SMH

    FFS.

    It's almost like connecting everything to the cloud was not a great idea.

    *facepalm*

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like