Incident Details

Incident: Severe Software Vulnerabilities in Chinese-Made Automotive GPS Tracker.

Published Date: 2022-07-19

Postmortem Analysis
Timeline	1. The software failure incident with the Chinese-made automotive GPS tracker happened in September [130712]. 2. The article was published on 2022-07-19. 3. Therefore, the software failure incident with the GPS tracker occurred in September 2021.
System	1. MiCODUS MV720 GPS tracker [130712]
Responsible Organization	1. Shenzen-based MiCODUS [130712]
Impacted Organization	1. Vehicle fleets globally, including trucks, school buses, and military vehicles, that use the MV720 GPS tracker [130712] 2. Fortune 50 energy company, aerospace company, national military in South America and eastern Europe, nuclear power plant operator, and national law enforcement agency in western Europe that are customers of MiCODUS [130712]
Software Causes	1. Default password that more than 90% of users don't change and a hard-coded password that works for all devices [130712] 2. Security flaws in the software of the web server used to remotely manage the GPS devices [130712]
Non-software Causes	1. Default password that more than 90% of users don't change [130712] 2. Obscure but hard-coded password that works for all devices [130712]
Impacts	1. The software vulnerabilities in the Chinese-made automotive GPS tracker could allow attackers to remotely hijack device-equipped vehicles, potentially cutting off fuel and seizing control while they travel [130712]. 2. Users were advised to immediately disable the MV720 GPS tracker until a fix becomes available, indicating a loss of trust in the device's security and functionality [130712]. 3. The vulnerabilities in the GPS tracker could lead to severe consequences such as crippling first responders' vehicles, demanding cryptocurrency ransom from victims, or intercepting and tainting location data for sabotage purposes [130712]. 4. The insecure GPS device raised concerns about potential malicious use by the Chinese government, highlighting broader national security implications and the need to minimize Chinese components in critical infrastructure [130712].
Preventions	1. Implementing secure coding practices during the development of the GPS tracker software to prevent vulnerabilities such as default passwords and hard-coded passwords [130712]. 2. Conducting thorough security testing, including penetration testing, to identify and address any potential weaknesses in the software [130712]. 3. Establishing a responsible disclosure process for security researchers to report vulnerabilities, and promptly addressing reported issues to ensure timely fixes are implemented [130712]. 4. Engaging in proactive communication and collaboration with cybersecurity researchers and relevant authorities to address security concerns and ensure the safety and integrity of the software [130712].
Fixes	1. Users should immediately disable the MV720 GPS tracker until a fix becomes available [130712]. 2. The manufacturer, Shenzen-based MiCODUS, needs to address the vulnerabilities identified by cybersecurity researchers and release a software update to patch the flaws [130712].
References	1. Boston cybersecurity firm BitSight [Article 130712] 2. U.S. Cybersecurity and Infrastructure Security Agency (CISA) [Article 130712] 3. Manufacturer MiCODUS [Article 130712] 4. Former U.S. cybersecurity czar Richard Clarke [Article 130712]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	multiple_organization	(a) The software failure incident related to the insecure GPS tracker made by MiCODUS has not been explicitly mentioned to have happened again within the same organization or with its products and services in the provided article [130712]. (b) The article mentions that the insecure GPS tracker made by MiCODUS, which has severe software vulnerabilities, is used by various organizations globally, including a Fortune 50 energy company, an aerospace company, a national military in South America and eastern Europe, a nuclear power plant operator, and a national law enforcement agency in western Europe. This indicates that the software failure incident related to the vulnerabilities in the GPS tracker has affected multiple organizations [130712].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase is evident in the severe software vulnerabilities found in the Chinese-made automotive GPS tracker, MV720. Cybersecurity researchers discovered flaws in the device that could allow attackers to remotely hijack vehicles, cut off fuel, and seize control while they are in motion. These vulnerabilities were attributed to default passwords that were not changed by over 90% of users, as well as security flaws in the software of the web server used to manage the GPS devices [130712]. (b) The software failure incident related to the operation phase is highlighted by the potential dangers posed by the insecure GPS tracker in terms of highway safety, national security, and supply chains. Users were advised to immediately disable the MV720 GPS tracker until a fix becomes available to prevent potential attacks that could compromise vehicle safety and security during operation [130712].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident involving the Chinese-made automotive GPS tracker was primarily due to severe software vulnerabilities within the system itself. The vulnerabilities included a default password that most users did not change, an obscure but hard-coded password that worked for all devices, and security flaws in the software of the web server used to manage the GPS devices [130712]. (b) outside_system: The failure incident was exacerbated by the lack of response and engagement from the manufacturer, Shenzen-based MiCODUS, when cybersecurity researchers attempted to address the vulnerabilities. Despite efforts by BitSight and the U.S. Cybersecurity and Infrastructure Security Agency to engage the manufacturer in discussions to address the vulnerabilities, there was no response from the company, indicating a lack of cooperation from an external entity [130712].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in this case is primarily due to non-human actions, specifically severe software vulnerabilities present in the Chinese-made automotive GPS tracker MV720. These vulnerabilities could allow attackers to remotely hijack vehicles, cut off fuel, and seize control while the vehicles are in motion. The vulnerabilities include default passwords that are not changed by over 90% of users, an obscure hard-coded password that works for all devices, and security flaws in the software of the web server used to manage the GPS devices [130712]. (b) Human actions also play a role in this software failure incident. Despite the cybersecurity researchers' efforts to engage with the manufacturer, Shenzen-based MiCODUS, to address the vulnerabilities, the company did not respond to attempts to discuss the issues. This lack of response from the manufacturer indicates a failure on the part of human actions to address and rectify the software vulnerabilities in a timely manner [130712].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident in the article is primarily related to hardware vulnerabilities in a Chinese-made automotive GPS tracker. The vulnerabilities in the device's software could allow attackers to remotely hijack vehicles, cut off fuel, and seize control while they are in motion. The flaws include default passwords that are not changed by over 90% of users, an obscure hard-coded password that works for all devices, and security flaws in the software of the web server used to manage the GPS devices [130712]. (b) The software failure incident is also related to software vulnerabilities in the GPS tracker's system. The flaws in the software of the device, including default passwords and security flaws in the web server, contribute to the overall failure of the system and pose significant risks to highway safety, national security, and supply chains [130712].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in this case is malicious. The vulnerabilities in the Chinese-made automotive GPS tracker were severe and could allow attackers to remotely hijack vehicles, cut off fuel, and seize control while they travel. The default and hard-coded passwords, along with security flaws in the software, were identified as contributing factors that could be exploited by malicious users to carry out harmful actions such as crippling first responders' vehicles or demanding ransom from victims [130712].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The software failure incident related to the Chinese-made automotive GPS tracker had elements of poor decisions contributing to the vulnerability. The manufacturer, MiCODUS, was unresponsive to attempts by cybersecurity researchers to address the severe software vulnerabilities in the device. Despite efforts by BitSight and CISA to engage the manufacturer in discussions since September, there was no response from MiCODUS. This lack of cooperation and failure to address critical vulnerabilities in the software can be attributed to poor decisions made by the manufacturer [130712]. (b) The software failure incident also involved accidental decisions or mistakes that contributed to the vulnerability of the GPS tracker. For example, the device came with a default password that over 90% of users did not change, making it susceptible to exploitation. Additionally, there was a second hard-coded password that worked for all devices, further highlighting accidental decisions or oversights in the software design. These unintentional flaws in the software's security measures contributed to the overall vulnerability of the device [130712].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in the article can be attributed to development incompetence. The article mentions severe software vulnerabilities in a popular Chinese-made automotive GPS tracker developed by Shenzen-based MiCODUS. The vulnerabilities included a default password that more than 90% of users don't change, an obscure but hard-coded password that works for all devices, and security flaws in the software of the web server used to remotely manage the GPS devices [130712]. (b) The software failure incident can also be considered accidental as the vulnerabilities in the GPS tracker were not intentionally introduced but were due to incompetence in the development process. The article highlights that the manufacturer, MiCODUS, did not respond to attempts by cybersecurity researchers to address the vulnerabilities, indicating a lack of intentional malice but rather a failure to address security issues in the software [130712].
Duration	temporary	The software failure incident described in the article is more aligned with a temporary failure rather than a permanent one. This is evident from the fact that the failure is due to specific contributing factors introduced by certain circumstances, such as severe software vulnerabilities in the Chinese-made automotive GPS tracker by MiCODUS. The vulnerabilities allow attackers to remotely hijack vehicles, cut off fuel, and seize control, indicating a specific issue with the software that can potentially be fixed with a patch or update [130712].
Behaviour	omission, value, other	(a) crash: The software failure incident described in the article involves severe software vulnerabilities in a popular Chinese-made automotive GPS tracker. These vulnerabilities could allow attackers to remotely hijack device-equipped vehicles, cutting off fuel to them and seizing control while they travel. Users are advised to immediately disable the MV720 GPS tracker until a fix becomes available [130712]. (b) omission: The vulnerabilities in the GPS tracker could lead to the omission of the system's intended functions, such as monitoring vehicle location, driver behavior, and fuel usage. Attackers could remotely cut off a vehicle's fuel line in motion, know its real-time location for espionage purposes, or intercept and taint location data to sabotage operations [130712]. (c) timing: The software failure incident does not directly involve timing issues where the system performs its intended functions correctly but too late or too early. The focus is on the severe vulnerabilities that could compromise the security and safety of the GPS tracker-equipped vehicles [130712]. (d) value: The vulnerabilities in the GPS tracker could lead to the system performing its intended functions incorrectly. For example, the default password that more than 90% of users don't change and a hard-coded password that works for all devices could be exploited by malicious users. Additionally, security flaws were found in the software of the web server used to remotely manage the GPS devices [130712]. (e) byzantine: The software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions, as described in a byzantine failure. The vulnerabilities in the GPS tracker primarily focus on security flaws that could be exploited by attackers to remotely control the vehicles [130712]. (f) other: The other behavior observed in this software failure incident is the potential for malicious scenarios where first responders' vehicles could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom from victims to avoid calling a mechanic. This behavior highlights the serious implications of the vulnerabilities in the GPS tracker on highway safety, national security, and supply chains [130712].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, processing_unit, embedded_software	(a) sensor: The software failure incident related to the GPS tracker involved severe software vulnerabilities that could allow attackers to remotely hijack device-equipped vehicles, such as cutting off fuel and seizing control while they travel. This vulnerability could be attributed to issues with the GPS tracker's sensor functionality, which is responsible for collecting data on vehicle location and other metrics like driver behavior and fuel usage [130712]. (b) actuator: The software failure incident did not specifically mention any issues related to actuator errors. The focus of the vulnerability was more on the remote control and monitoring capabilities of the GPS tracker, rather than direct control over physical actuators in the vehicles. (c) processing_unit: The software failure incident highlighted vulnerabilities in the software of the web server used to remotely manage the GPS devices. These security flaws in the processing unit's software could have contributed to the potential risks associated with the GPS tracker, allowing attackers to exploit the system [130712]. (d) network_communication: The software failure incident did not explicitly mention any network communication errors. However, the vulnerabilities identified in the GPS tracker's software could potentially be exploited through network communication channels, such as remote access to the devices for malicious purposes. (e) embedded_software: The software failure incident pointed out several vulnerabilities in the GPS tracker's software, including default passwords that were not changed by users and hard-coded passwords that worked for all devices. These issues with the embedded software of the GPS tracker contributed to the overall security risks associated with the device [130712].
Communication	connectivity_level	The software failure incident reported in Article 130712 is related to the communication layer of the cyber physical system that failed at the connectivity_level. The vulnerabilities identified in the Chinese-made automotive GPS tracker were related to the software of the web server used to remotely manage the GPS devices, indicating issues at the network or transport layer [130712]. Additionally, the flaws in the device allowed attackers to remotely hijack vehicles, cut off fuel, and seize control while they travel, which points to failures introduced at the connectivity level of the system.
Application	TRUE	The software failure incident described in the article [130712] is related to the application layer of the cyber physical system. The vulnerabilities in the Chinese-made automotive GPS tracker, specifically the default password issue and security flaws in the software of the web server used to manage the GPS devices, are contributing factors introduced by bugs and incorrect usage that fall under the definition of application layer failures. These vulnerabilities could allow attackers to remotely hijack vehicles, cut off fuel, and seize control while they travel, indicating a failure at the application layer of the system.

Other Details

Category	Option	Rationale
Consequence	harm, property, non-human, theoretical_consequence, other	(a) death: The software failure incident involving the Chinese-made automotive GPS tracker with severe vulnerabilities did not result in any reported deaths as per the articles [130712]. (b) harm: The potential harm resulting from the software vulnerabilities included attackers being able to remotely hijack vehicles, cut off fuel, and seize control while they travel, posing a danger to highway safety and national security [130712]. (c) basic: There is no mention of people's access to food or shelter being impacted by the software failure incident [130712]. (d) property: The software failure incident could impact people's material goods, money, or data as attackers could remotely control vehicles equipped with the vulnerable GPS tracker [130712]. (e) delay: There is no mention of people having to postpone an activity due to the software failure incident [130712]. (f) non-human: Non-human entities, specifically vehicles equipped with the vulnerable GPS tracker, were impacted by the software failure incident as attackers could remotely control them [130712]. (g) no_consequence: There were observed consequences of the software failure incident, including the potential danger to highway safety and national security due to the vulnerabilities in the GPS tracker [130712]. (h) theoretical_consequence: Theoretical consequences discussed included scenarios where attackers could remotely cut off a vehicle's fuel line, know its real-time location for espionage purposes, or intercept and taint location data to sabotage operations [130712]. (i) other: The software failure incident could potentially lead to scenarios where first responders' vehicles could be crippled, or hackers could demand cryptocurrency ransom from victims to avoid calling a mechanic after shutting off an engine [130712].
Domain	transportation	(a) The failed system was related to the transportation industry as it involved a popular Chinese-made automotive GPS tracker used in 169 countries [Article 130712]. (b) The software failure incident was directly linked to the transportation industry, specifically in monitoring and tracking vehicle fleets [Article 130712]. (c) The incident did not involve the extraction of natural resources. (d) The software failure incident was not related to sales transactions. (e) The incident did not pertain to the construction industry. (f) The failed system was not associated with manufacturing products. (g) The software failure incident did not involve utilities services. (h) The incident was not related to financial activities. (i) The failed system was not directly linked to knowledge-related activities. (j) The software failure incident did not involve the health industry. (k) The incident was not related to the entertainment industry. (l) The software failure incident was not directly linked to government activities. (m) The failed system was not related to any other industry mentioned in the options.

Sources

Researchers: Chinese-made GPS tracker highly vulnerable - The Associated Press - Published on: 2022-07-19
Article ID: 130712

Back to List