BitSight has discovered six severe vulnerabilities in a popular vehicle GPS tracker (MiCODUS MV720) potentially allowing hackers to track individuals, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more.
The world around you is brimming with Internet of things (IoT) devices. Sure, devices like our computers or smartphones have always relied on Internet access, but now the network is expanding. Think smart watches, security cameras, medical sensors, smart refrigerators… The list could go on and on.
The Internet is connected to countless devices, promoting convenience and efficiency for consumers globally, but also for businesses. The digital trend is not predicted to stop any time soon, with the number of connected devices expected to more than double from 14 billion units in 2021 to 31 billion by 2025.
Do IoT devices matter to businesses?
IoT devices might mainly be considered consumer goods, but businesses also are relying on them to ease workloads and get a leg up in their supply chains (say, with energy efficient smart thermostats and lights in the office or warehouses). Employee-owned IoT devices may also connect to an organization's network, whether remotely or during on-site work, expanding the attack surface of the business piece by piece.
But an employee’s smartwatch shouldn’t pose a cybersecurity risk to your organization, right?
Traditionally, prioritizing monitoring and analysis of cyber risk meant managing high-stakes vendors like a cloud service provider or HR tool with extra care, because they hold information that bad actors want the most. New research has revealed that seemingly benign IoT devices hold hidden risk previously unimaginable.
A harsh reality – IoT devices can wreak havoc on consumers and organizations
BitSight recently discovered six severe vulnerabilities in a popular vehicle GPS tracker. The technology behind the IoT device is the MiCODUS MV720, but based on the research into the initial threat, we believe there could be other vulnerable models.
To break it down a little, the research reveals a vulnerability that, if acted on, would allow hackers to track individuals in their vehicles without their knowledge. With control of the GPS device, bad actors can also disable the vehicles.
This disruptive vulnerability sheds light on the dangerous impact a seemingly innocent device can have if compromised, including actual physical danger as well as unsafe tracking information accessed by an unknown amount of people. The technology individuals use daily, even if it feels as harmless and normalized as the GPS tracker in your car, can be subject to life-altering consequences from a cyber attack.
The MiCODUS technology is also used by corporate supply chain fleets, law enforcement agencies, military organizations, and government agencies. BitSight identified organizations in the oil and gas sector, Fortune 50 technology companies, and a nuclear power plant operator as just some of the organizations and industries using MiCODUS devices.
The compromise of one IoT device can impact an entire organization, as well as its supply chain of connected networks. This can result in delays in operations and financial loss far beyond just the impacted device.
How to protect yourself (and your network)
Organizations are not helpless against the threats introduced by IoT devices. Continuously monitor your entire attack surface, and network of vendors, to maintain the most up-to-date view of the vulnerabilities threatening your network. Utilize technology that provides a daily-updated view of your network so you don’t have to rely on vendors to report out when a breach occurs.
While you may not have an alert system in place for seemingly insignificant IoT devices like the MiCODUS technology, find a data and analytics provider like BitSight that can help identify where a vulnerability might be present in your network as soon as it is made public.
To learn more about BitSight’s GPS vulnerability research and how BitSight can help organizations and third party managers reduce IoT device cyber risk, visit the report summary page.