Security vulnerabilities in a popular Chinese-built GPS vehicle tracker can be easily exploited to track and remotely cut the engines of at least a million vehicles around the world, according to new research. Worse, the company that makes the GPS trackers has made no effort to fix them.

Cybersecurity startup BitSight said it found six vulnerabilities in the MV720, a hardwired GPS tracker built by Micodus, a Shenzhen,-based electronics maker, which claims more than 1.5 million GPS trackers in use today across more than 420,000 customers worldwide, including companies with fleets of vehicles, law enforcement agencies, militaries and national governments. BitSight said it also found the GPS trackers used by Fortune 50 companies and a nuclear power plant operator.

But the security flaws can be easily and remotely exploited to track any vehicle in real-time, access past routes, and cut the engines of vehicles in motion.

Pedro Umbelino, principal security researcher at BitSight who authored the report seen by TechCrunch before its publication, said the vulnerabilities are “not difficult to exploit,” and that the nature of the flaws leaves “significant questions about the vulnerability of other models,” suggesting the bugs may not be limited to the one Micodus GPS tracker model.

Given the severity of the bugs and that there are no fixes, both BitSight and CISA, the U.S. government’s cybersecurity advisory agency, warned vehicle owners to remove the devices as soon as possible to mitigate the risk.

The six vulnerabilities vary in severity and exploitability, but all but one rank as “high” severity or greater. Some of the bugs are in the GPS tracker itself, while others are in the web dashboard that customers use to track their vehicle fleets.

The most severe flaw is a hardcoded password that can be used to gain complete control of any GPS tracker, access to vehicles’ real-time location and past routes, and remotely cut off fuel to vehicles. Because the password is embedded directly into the code of the Android app, anyone can dig around the code and find it.

A map with red points representing a MiCODUS user. Image Credits: BitSight/supplied.

The research also found that the GPS tracker comes with a default password of “123456,” allowing anyone access to GPS trackers that have not changed their device’s password. BitSight found 95% of a sample of 1,000 devices it tested were accessible with an unchanged default password, likely because device owners aren’t prompted to change the device’s password on setup.

Two of the remaining vulnerabilities, known as insecure direct object references — or IDORs — allow a logged-in user to access data from a vulnerable GPS tracker that didn’t belong to them, and generate spreadsheets containing device activity, such as past locations and routes.

The researchers said they found vulnerable Micodus GPS trackers all over the world, with the highest concentration of devices in Ukraine, Russia, Uzbekistan, and Brazil, as well as across Europe, including Spain, Poland, Germany and France. Kevin Long, a spokesperson for BitSight, told TechCrunch that it saw a smaller percentage of devices in the United States but that the figure is likely “thousands” of devices.

BitSight CEO Stephen Harvey said the vulnerabilities have the potential to result in “disastrous consequences” for affected vehicle owners. The security company first contacted Micodus in September 2021, but no efforts were made to fix the vulnerabilities ahead of the report’s publication. Security researchers typically give companies three months to fix vulnerabilities before they are made public, giving the developers time to remediate before details of the vulnerabilities are published.

Micodus did not respond to TechCrunch’s request for comment sent prior to publication.