Tag Archive for: china

GPS Tracker Made in China Conduit for Vehicle Hacking

6 Vulnerabilities Detected With No Available Patch

GPS Tracker Made in China Conduit for Vehicle Hacking

Severe vulnerabilities in a popular GPS tracking device made in China could allow hackers to remotely surveil vehicles’ locations and shut down their engines, say security researchers in a warning echoed by the U.S. government.

See Also: OnDemand | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

Cybersecurity firm BitSight says it uncovered six vulnerabilities in a hard-wired GPS tracker made by MiCODUS. Boston-based BitSight estimates there are 1.5 million active tracking devices made by the Shenzen-based manufacturer deployed across the globe that are used by 420,000 different customers in more than 160 countries.

Organizations identified by BitSight as using trackers include a Fortune 50 energy company, a national military in South America, a nuclear power plant operator and a state on the east coast of the United States.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, a former presidential adviser on cybersecurity.

The firm estimates Russia is the country with the greatest number of vulnerable devices and in the top three of countries with the most users.

The vulnerabilities include a hard-wired master password and vulnerability to SMS-based commands that can be executed without authentication. There are no patches, leading the U.S. Cybersecurity and Infrastructure Security Agency to advise that the trackers be isolated from internet connectivity. The agency is not aware of any active exploitation of the vulnerabilities.

MiCODUS is a maker of automotive tracking devices designed for vehicle fleet management and theft protection for consumers and organizations. It did not immediately respond to a request for comment.

The company’s MV720 model – the subject of the BitSight and CISA advisory – supports all vehicles and has a function to cut off fuel supply, according to its


China Fines Didi $1.2 Billion as Tech Sector Pressures Persist

The authorities in China on Thursday fined the country’s ride-hailing giant, Didi, $1.2 billion for data security violations, the latest in a string of regulatory actions that have laid low China’s once-soaring internet sector.

The penalty, announced by China’s internet regulator, the Cyberspace Administration of China, ended a yearlong investigation into the data practices of the ride-sharing giant that spoiled a blockbuster listing in the United States and ultimately led to a decision to delist from the New York Stock Exchange. The regulator said it would also fine two top executives at the company.

The firm violated several Chinese data security laws, the regulator said, by collecting millions of addresses, phone numbers, images of faces, and other data.

The eye-watering fine most likely clears the way for the one-time Wall Street-darling to list its shares in Hong Kong. But the regulator’s announcement did not mention whether it would allow Didi to put its app back on Chinese app stores and to restore its ability to register new users. The government had imposed the restrictions on Didi’s operations last July as part of its investigation.

The fine broadly matched penalties paid out by other Chinese internet giants, in terms of the share of the companies’ annual revenue, during a nearly two-year regulatory crackdown on the sector.

Some analysts have argued there are signs that a frenzied period of rule-making and harsh enforcement by China’s regulators may be on the wane. Even so, more government oversight and a willingness to punish China’s innovation leaders appears to have become the new normal. In this month alone, China’s antitrust regulator punished Didi and other internet firms for failing to report mergers for antimonopoly review, while the country’s central bank fined Didi for mishandling customer data.

In a long list of infractions that included excess collection of data, the Cyberspace Administration of China singled out Didi’s chief executive and founder, Cheng Wei, and its president, Jean Liu. Each was fined roughly $150,000.

“Didi’s illegal operations have brought serious security risks to the security of the country’s key information…


Government Databases Invite Privacy Abuse in China and the U.S.

As snoop-tastic as China’s regime is, it’s tempting to gloat a bit when the country suffers a massive data breach of its own that dwarfs the leaks it inflicts on other countries. But regular Chinese citizens have been compromised, not just the government officials who spy on their own people and hack into foreign databases. More remarkably, this is only one of many incidents that illustrate the dangers of the surveillance state’s appetite for gathering and hoarding sensitive information under any flag.

“A massive online database apparently containing the personal information of up to one billion Chinese citizens was left unsecured and publicly accessible for more than a year – until an anonymous user in a hacker forum offered to sell the data and brought it to wider attention last week,” CNN reported July 5.

That a massive treasure trove of personal details was placed online with minimal protection, reportedly by Shanghai’s police, makes an awful sort of sense. China’s regime has little regard for anybody’s privacy and is imposing an increasingly sophisticated surveillance-and-control state. Why wouldn’t officials prioritize their own ease of access over concerns about identity theft and the personal fallout from sticking data that includes criminal records online?

Then again, you’d think China’s officialdom might be a little more security-conscious given how much effort they expend on stealing other people’s data.

In May 2014, the U.S. Justice Department charged Chinese military hackers with spying on American corporations. Months later, news reports revealed that hackers working for the Chinese government penetrated U.S. government servers looking for information on federal employees.

In July 2020, the feds indicted more Chinese government hackers for their part in “a hacking campaign lasting more than 10 years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.” In September of the same year, the U.S. Cybersecurity and Infrastructure Security Agency announced that hackers…


China Censors What Could Be Biggest Data Hack in History

Image for article titled China Tries to Censor What Could Be Biggest Data Hack in History

Photo: NOEL CELIS/AFP (Getty Images)

Chinese censors are working overtime to clamp down on news that the data they’ve siphoned from their citizens over the years is apparently out there and is being sold for less than the anticipated cost of a Tesla Roadster.

On Monday, reports showed that a hacker only identified as “ChinaDan” told members of the hacker site Breach Forums that he had acquired 23 terabytes of data on 1 billion Chinese citizens, according to Reuters. It’s data he’s willing to part with for the right price. How much is 1 billion people’s personal data worth? Apparently just 10 bitcoin, or approximately $200,000.

The post said that the data trove came from a leaked version of the Shanghai National Police database. ChinaDan’s original post included a sample of 250,000 citizens’ info, but that sample size was apparently increased to 750,000. BleepingComputer included an image of the forum post that reads the “Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”

The leak has drawn a fair bit of critique and claims that it’s probably exaggerated, especially considering that the total number from this Shanghai police database would be just 400 million shy of the total population of all of China, 1.4 billion.

The Chinese government has not made any official mention about the hack to reporters, in public, or online. Further reports have displayed just how much Beijing doesn’t want its citizens talking about the breach. The Financial Times reported that government censors have taken down posts on Chinese social media that dared even mention the alleged leak.

FT wrote that Weibo, essentially China’s version of Twitter, and WeChat were already censoring any mention of hashtags containing “data leak” or “database breach.” Censors blocked existing posts and even reportedly asked at least one poster with a big follower-base to come in for questioning. The NYT reported that Chinese state media has been mum on news of the hack.

The hacker wrote that the data was taken from cloud computer firm Aliyun which…