use of gps

(Source – Shutterstock)

The use of this GPS could potentially compromise millions of vehicles

  • The MiCODUS MV720 device, a popular vehicle GPS tracker, was discovered to have six vulnerabilities, possibly exposing 1.5 million vehicles in 169 countries.
  • Telematic devices are considered to be the most prevalent attack vector for vehicles since they may be accessed remotely by data networks or SMS.

Understanding people’s fleet needs and how they might profit most from emerging technologies is valuable in the field of transportation technology. This is where the use of a global positioning system (GPS) comes in, as it offers much more than just dots on a map. Given that it offers faster services, quicker delivery, and shipment tracking, it has become crucial for fleet managers to keep ahead of the curve.

The world is becoming more intricate and connected every day. The Asia Pacific GPS Market would experience market growth of 22.5% CAGR during the forecast period (2019-2025) due to the rising deployment of GPS technology in smartphones, tablets, networking devices, IoT devices, and connected vehicles.

Even though GPS is useful to people, it also has a drawback that might seriously jeopardize their data.

A popular vehicle GPS tracker, the MiCODUS MV720 device, was recently discovered to have six vulnerabilities, potentially compromising 1.5 million vehicles across 169 countries. By taking advantage of the vulnerabilities, hackers may use GPS trackers to follow, manipulate data, collect information, or even immobilize the vehicle. The shocking part is that many Fortune 50 firms, a military organization in South America, a nuclear plant operator, and governments in Europe and the US all utilize the well-known GPS tracker.

The vendor of the tracker has not yet made a fix available. It is recommended that users either switch to actively supported GPS trackers or immediately disable these devices until a fix is available.

In response to the vulnerability in this GPS tracker, Tech Wire Asia got the chance to speak with Debrup Ghosh, Senior Product Manager, Synopsys Software Integrity Group, to get his thoughts on the incident.

First and foremost, security needs to be part of the larger architectural design. Very often, security is overlooked as part of the software development life cycle, hence architectural analysis and threat modeling should be leveraged to evaluate potential security risks. It’s also important to complement the architectural analysis and threat modeling with penetration testing to discover vulnerabilities that may be introduced inadvertently into production systems.

For developers, it is important to instill safe coding practices including designing safety into the operations of the device offering backups and preventing shutdowns that could impact the safety of the driver as well as other vehicles on the road. Second, telematics devices provide the most common attack vector for the vehicle, as they can be remotely accessed either using data networks or SMS. The primary security challenge with the controller area network (CAN) bus is that any device on the bus can send messages to any recipient.

A large number of ingress points present a unique challenge for trucks, so filtering out unexpected signals as part of the design should be a key component to consider. This limits CAN bus access and whitelists CAN messages that specific ports can receive. Hence, the attack can be focused on several sources including the GPS device, which is linked to the internet via cellular and/or satellite, and to the vehicle ECU using the CAN bus. The principle of least privilege should also be incorporated into the design in combination with authentication and access controls between applications and services using common design principles such as role-based access controls, two-factor authentication for mobile apps, and appropriate levels of encryption protection.

Third, vulnerability management needs to become a key part of the DNA of the SDLC to operationalize DevSecOps and respond appropriately, quickly, and efficiently to incidents, vulnerabilities, and exploits. It is important to implement secure over-the-air (SOTA) updates to quickly patch security vulnerabilities, while not risking opening additional attack vectors, while loading updates, configurations, or other data packets from the internet. Both trucking companies, as well as GPS/Fleet management vendors, need to take a proactive approach toward cyber security.

Finally, penetration testing is necessary for these devices. These tests allow cyber security experts to detect vulnerabilities and assess the overall strength of an organization’s defense by simulating the actions of an attacker. Often attackers target software deployment vulnerabilities — such as configurations, policy management, and gaps in interactions among multiple threat detection tools to exploit security gaps. IoT devices can have several types of interfaces — web-based interfaces for consumers, or object interfaces for governance as code– type of applications such as control systems. Hence input validation, command injection, and code injection should be a primary focus of penetration testing of IoT devices.

Further, network infrastructure interconnecting IoT objects can often be vulnerable and for IoT devices on a single network, malicious attacks need only a single exploit to be successful. It is important to use both automated tools and manual penetration testing methods to do complete specialized penetration testing on the network infrastructure, associated cryptographic schemes, and communication protocols.