Cyber-security researchers have discovered six severe vulnerabilities in a popular Chinese-built vehicle GPS tracker, potentially allowing hackers to track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, abruptly stop civilian vehicles on dangerous highways, and more.

Cyber-security company BitSight said the critical bugs are found in ‘MiCODUS’ GPS tracker and there are believed to be 1.5 million MiCODUS devices, across 169 countries, in use today by individual consumers, and government agencies, militaries, law enforcement, and corporations.

“Organisations identified using MiCODUS GPS trackers include a Fortune 50 energy, oil, and gas company, a national military in South America, a Fortune 50 technology company, a nuclear power plant operator, and a state on the East Coast of the US,” the researchers said in their report late on Tuesday.

The affected GPS tracking device is manufactured by Shenzhen, China-based company MiCODUS.

Consumers, militaries, law enforcement agencies, and corporations install MiCODUS GPS trackers in vehicles to monitor real-time locations and speeds, and historical routes, and to remotely cut off fuel in the event of theft.

Buy Me A Coffee

Users access a dashboard or use SMS text messaging, to send commands directly to deployed devices.

Each MV720 is sold for approximately $20 on Amazon, Aliexpress, eBay, Alibaba, and other major online retailers, making it available to anyone.

“If China can remotely control vehicles in the US, we have a problem,” said Richard Clarke, national security expert and former presidential advisor on cybersecurity.

Russian Sandworm Group Targeted Nearly 20 Ukrainian Critical Infrastructure Sites for Cyberattacks

“With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind,” he added.

Civilians, politicians, business leaders, and others could be tracked without their knowledge or consent, threatening personal safety and confidentiality. Unlawful tracking is a growing privacy concern.

Bad actors could learn the travel routes of unsuspecting home or business owners, informing planned burglaries or other criminal activities, warned researchers.

“An attacker could cut fuel to a civilian’s vehicle and deploy ransomware, demanding a ransom to return the vehicle to working condition,” they added.