Security Agency (CISA) warned in an advisory.

Introduction:

Unpatched SinoTrack GPS Vulnerabilities

The vulnerabilities exist in the ST-900 and ST-915 SinoTrack GPS tracking hardware that uses default passwords to secure access to the device.

SinoTrack provides vehicle tracking solutions for companies and individuals worldwide.

However, these security vulnerabilities bring to light a severe threat to vehicle owners and connected fleet management companies.

Sub-heading 1:

Technical Overview

Dr.

Oliver Matula from ERNW Enno Rey Netzwerke, who discovered these vulnerabilities, said the issues could be classified into two.

Firstly, there’s the improper validation of password vulnerability (CVE-2021-3979).

It allows an attacker to bypass the password authentication, granting unauthorized access to the GPS tracker via the Hyper Text Transfer Protocol (HTTP) interface.

Second in line is the storage of hard-coded credentials vulnerability (CVE-2021-3980).

It allows a malicious actor to gain unauthorized access due to the default credentials that are embedded in the firmware of the GPS device.

Sub-heading 2:

Potential Impacts

The presence of these vulnerabilities enables cyber-attackers to hijack vehicles remotely, turning on alarms, disabling the engine and more.

They could also potentially use the compromised systems as stepping stones to breach an organization’s broader network.

Real-World Example:

Hacking into SinoTrack equipped vehicles

In a real-world scenario, an attacker could use a simple HTTP client, like a web browser, to send requests to the GPS device’s IP address.

Given the vulnerable GPS devices expose their web interface on port 5019, the attacker could easily gain control by exploiting the security gaps.

Advice to Professionals:

Preventing potential attacks

CISA and ERNW have urged users to change all default passwords, emphasizing the importance of unique, complex passwords.

Minimizing network exposure for all control system devices and making sure that they are not accessible from the internet is also paramount.

If remote access is necessary, secure methods like Virtual Private Networks (VPNs) should be used.

Conclusion:

Addressing IoT Security Risks

SinoTrack’s vulnerabilities are a potent reminder of the security risks that come with Internet of Things (IoT) devices.

It insists on the need for organizations and individuals to take IoT security seriously and adopt best practices to keep them secure.

Follow-Up Reading

For more detailed, technical information on these vulnerabilities, you can check out the following references:

1. CISA Sinotrack GPS Tracker Vulnerabilities
2. ERNW Research Advisory – SinoTrack ST-900 & ST-915 Default Credentials
3. NIST Vulnerability Database – CVE-2021-3980