Vulnerabilities in a popular GPS tracker made in China and used around the world could allow hackers to disrupt vehicles, cut off their fuel and surveil drivers’ movements, according to new research.

Boston-based BitSight Technologies said its discovery of several “severe” vulnerabilities in the Micodus MV720 tracker affects consumers, private companies and government agencies alike – placing them at a “high risk” of personal injury, vehicle disablement and supply-chain disruption. Researchers believe 1.5 million Micodus devices are in use in more than 160 countries.

The US Department of Homeland Security issued several warnings on July 19 about the flaws. Micodus didn’t immediately respond to emails and phone calls seeking comment from Bloomberg News since early Monday.

In a statement, Eric Goldstein, executive assistant director for the Cybersecurity Infrastructure Security Agency, a division of DHS, said the agency is not aware of any active exploitation of the vulnerabilities that were identified. The agency encouraged specialists like product integrators to “implement mitigation measures”, he said.

GPS trackers used in fleet management can monitor the location of a company’s vehicles. They also can be anti-theft devices, allowing company employees to remotely cut the gas to stymie a carjacker or monitor its fuel consumption, for instance. But if hackers gain access to that same device, they, too, can stop vehicles or track their whereabouts.

The vulnerabilities would allow a bad actor in multiple situations to “easily gain complete control over any GPS tracker of this type”, said Pedro Umbelino, BitSight’s principal security researcher. Some of the vulnerabilities, BitSight said, were rated a 9.8 out of a possible 10, the most severe.

BitSight urged those who have the trackers, which sell for about US$20 (RM89) online, to stop using them until a fix is made available. BitSight said it made repeated attempts to share information about the flaws with the Shenzhen, China-based firm dating back to September 2021 but was “disregarded”, the company said.

BitSight says the trackers are deployed by major firms in the energy, aerospace and technology sectors, as well as an unidentified national government in Western Europe and a national military in Eastern Europe.

Researchers found that Ukraine had the most Micodus GPS trackers in all of Europe, used by a state-owned transportation system and a top bank in Kyiv. That raises the spectre that Russian operatives could exploit those flaws, allowing them to track or disable vehicles amid its months-long war against Ukraine.

“The vulnerabilities discovered by BitSight can directly impact our physical world, potentially resulting in disastrous consequences for individuals and organisations if not addressed,” said BitSight chief executive officer Stephen Harvey. “Our research highlights why it is critical for organisations to consider Internet-of-Things devices in cyber-resilience efforts.” – Bloomberg