Six vulnerabilities in a Chinese-built vehicle GPS tracker MiCODUS allow hackers to track individuals without their knowledge, remotely disable vehicles, and more, Cyber-security company BitSight said.
There are 1.5 million MiCODUS devices, across 169 countries, in use by individual users, government agencies, militaries, law enforcement and corporations.
Organizations identified using MiCODUS GPS trackers include a Fortune 50 energy, oil and gas company, a national military in South America, a Fortune 50 technology company, a nuclear power plant operator, and a state on the East Coast of the US.
The affected GPS tracking device is manufactured by Shenzhen, China-based company MiCODUS.
Consumers, militaries, law enforcement agencies, and corporations install MiCODUS GPS trackers in vehicles to monitor real-time locations and speeds, historical routes, and to remotely cut off fuel in the event of theft.
Users access a dashboard, or use SMS text messaging, to send commands directly to deployed devices.
Each MV720 is sold for approximately $20 on Amazon, Aliexpress, Ebay, Alibaba, and other major online retailers, making it available to anyone.
“If China can remotely control vehicles in the US, we have a problem,” said Richard Clarke, national security expert and former presidential advisor on cybersecurity.
“With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind,” Richard Clarke said.