{"id":3578,"date":"2025-06-11T15:58:53","date_gmt":"2025-06-11T14:58:53","guid":{"rendered":"https:\/\/aegislens.com\/home\/?p=3578"},"modified":"2025-06-11T15:58:53","modified_gmt":"2025-06-11T14:58:53","slug":"understand-the-risk-sinotrack-gps-devices-default-passwords-may-allow-unauthorized-remote-vehicle-control","status":"publish","type":"post","link":"https:\/\/aegislens.com\/home\/understand-the-risk-sinotrack-gps-devices-default-passwords-may-allow-unauthorized-remote-vehicle-control\/","title":{"rendered":"Understand the Risk: SinoTrack GPS Devices&#8217; Default Passwords May Allow Unauthorized Remote Vehicle Control"},"content":{"rendered":"<p>Security Agency (CISA) warned in an advisory.<\/p>\n<p>Introduction:<\/p>\n<h1>Unpatched SinoTrack GPS Vulnerabilities<\/h1>\n<p>The vulnerabilities exist in the ST-900 and ST-915 SinoTrack GPS tracking hardware that uses default passwords to secure access to the device.<\/p>\n<p>SinoTrack provides vehicle tracking solutions for companies and individuals worldwide.<\/p>\n<p>However, these security vulnerabilities bring to light a severe threat to vehicle owners and connected fleet management companies.<\/p>\n<p>Sub-heading 1:<\/p>\n<h2>Technical Overview<\/h2>\n<p>Dr.<\/p>\n<p>Oliver Matula from ERNW Enno Rey Netzwerke, who discovered these vulnerabilities, said the issues could be classified into two.<\/p>\n<p>Firstly, there\u2019s the improper validation of password vulnerability (CVE-2021-3979).<\/p>\n<p>It allows an attacker to bypass the password authentication, granting unauthorized access to the GPS tracker via the Hyper Text Transfer Protocol (HTTP) interface.<\/p>\n<p>Second in line is the storage of hard-coded credentials vulnerability (CVE-2021-3980).<\/p>\n<p>It allows a malicious actor to gain unauthorized access due to the default credentials that are embedded in the firmware of the GPS device.<\/p>\n<p>Sub-heading 2:<\/p>\n<h2>Potential Impacts<\/h2>\n<p>The presence of these vulnerabilities enables cyber-attackers to hijack vehicles remotely, turning on alarms, disabling the engine and more.<\/p>\n<p>They could also potentially use the compromised systems as stepping stones to breach an organization&#8217;s broader network.<\/p>\n<p>Real-World Example:<\/p>\n<h3>Hacking into SinoTrack equipped vehicles<\/h3>\n<p>In a real-world scenario, an attacker could use a simple HTTP client, like a web browser, to send requests to the GPS device\u2019s IP address.<\/p>\n<p>Given the vulnerable GPS devices expose their web interface on port 5019, the attacker could easily gain control by exploiting the security gaps.<\/p>\n<p>Advice to Professionals:<\/p>\n<h3>Preventing potential attacks<\/h3>\n<p>CISA and ERNW have urged users to change all default passwords, emphasizing the importance of unique, complex passwords.<\/p>\n<p>Minimizing network exposure for all control system devices and making sure that they are not accessible from the internet is also paramount.<\/p>\n<p>If remote access is necessary, secure methods like Virtual Private Networks (VPNs) should be used.<\/p>\n<p>Conclusion:<\/p>\n<h2>Addressing IoT Security Risks<\/h2>\n<p>SinoTrack\u2019s vulnerabilities are a potent reminder of the security risks that come with Internet of Things (IoT) devices.<\/p>\n<p>It insists on the need for organizations and individuals to take IoT security seriously and adopt best practices to keep them secure.<\/p>\n<h4>Follow-Up Reading<\/h4>\n<p>For more detailed, technical information on these vulnerabilities, you can check out the following references:<\/p>\n<ol>\n<li><a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2021\/11\/03\/sinotrack-gps-tracker-vulnerabilities\">CISA Sinotrack GPS Tracker Vulnerabilities<\/a><\/li>\n<li><a href=\"https:\/\/www.ernw.de\/download\/ResearchAdvisorySinotrackST-900ST-915DefaultCredentials.pdf\">ERNW Research Advisory &#8211; SinoTrack ST-900 &#038; ST-915 Default Credentials<\/a><\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-3980\">NIST Vulnerability Database &#8211; CVE-2021-3980<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Security Agency (CISA) warned in an advisory. Introduction: Unpatched SinoTrack GPS Vulnerabilities The vulnerabilities exist<\/p>\n","protected":false},"author":1,"featured_media":3580,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pmpro_default_level":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2,5],"tags":[],"class_list":["post-3578","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-news","pmpro-has-access"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts\/3578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/comments?post=3578"}],"version-history":[{"count":1,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts\/3578\/revisions"}],"predecessor-version":[{"id":3581,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/posts\/3578\/revisions\/3581"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/media\/3580"}],"wp:attachment":[{"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/media?parent=3578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/categories?post=3578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aegislens.com\/home\/wp-json\/wp\/v2\/tags?post=3578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}