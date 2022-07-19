Millions of vehicles worldwide could be susceptible to remote tracking and sabotage due to security flaws in a popular GPS module sold on Amazon and other online marketplaces. On Tuesday, cybersecurity firm BitSight disclosed it found six “severe” vulnerabilities in the MV720, a hardwired GPS tracker produced by Chinese electronics manufacturer Micodus. According to BitSight, the vulnerabilities are “not difficult to exploit” and may not be limited to one device.

Micodus did not respond to communication attempts by BitSight and the US Cybersecurity and Infrastructure Security Agency (CISA), meaning the company has made no effort to fix the vulnerabilities, and there are no known workarounds. Two of the six flaws are “critical” in nature. The most pressing involves a hardcoded password that a bad actor could use to send SMS commands to the MV720. Someone could use that capability to track the real-time location of a vehicle and remotely cut off its fuel supply.