Severe vulnerabilities in a popular GPS tracking device made in China could allow hackers to remotely surveil vehicles’ locations and shut down their engines, say security researchers in a warning echoed by the U.S. government.

See Also: OnDemand | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

Cybersecurity firm BitSight says it uncovered six vulnerabilities in a hard-wired GPS tracker made by MiCODUS. Boston-based BitSight estimates there are 1.5 million active tracking devices made by the Shenzen-based manufacturer deployed across the globe that are used by 420,000 different customers in more than 160 countries.

Organizations identified by BitSight as using trackers include a Fortune 50 energy company, a national military in South America, a nuclear power plant operator and a state on the east coast of the United States.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, a former presidential adviser on cybersecurity.

The firm estimates Russia is the country with the greatest number of vulnerable devices and in the top three of countries with the most users.

The vulnerabilities include a hard-wired master password and vulnerability to SMS-based commands that can be executed without authentication. There are no patches, leading the U.S. Cybersecurity and Infrastructure Security Agency to advise that the trackers be isolated from internet connectivity. The agency is not aware of any active exploitation of the vulnerabilities.

MiCODUS is a maker of automotive tracking devices designed for vehicle fleet management and theft protection for consumers and organizations. It did not immediately respond to a request for comment.

The company’s MV720 model – the subject of the BitSight and CISA advisory – supports all vehicles and has a function to cut off fuel supply, according to its