SinoTrack GPS Devices Expose Vehicles to Remote Hijacking Through Default Credentials

11.06.2025

Two critical security flaws have been identified in SinoTrack GPS devices, potentially allowing attackers to remotely control certain vehicle functions and monitor vehicle locations. These vulnerabilities impact the SinoTrack IoT PC Platform across all versions and could be exploited via the platform’s web management interface without requiring proper authorization.

According to a recent advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), one vulnerability (CVE-2025-5484, CVSS score 8.3) arises from the use of a default password combined with a username that is simply an identifier printed on the device. The second flaw (CVE-2025-5485, CVSS score 8.6) further weakens security by relying on numerical identifiers no longer than 10 digits for authentication.

These identifiers can be easily obtained through physical access or by examining images of the devices posted on online marketplaces such as eBay. Attackers could then use these identifiers to systematically generate new targets, either by slight modifications to known IDs or by testing random numerical combinations.

Security researcher Raúl Ignacio Cruz Jiménez, who reported the issues, warned that the vulnerabilities enable remote command execution, giving attackers the ability to interfere with vehicle systems—such as disabling fuel pumps where applicable—and to harvest personal and vehicle-related data. He described the devices as fundamentally insecure due to their weak authentication mechanisms.

As of now, no official patches have been released to fix the issues. CISA recommends that users immediately change the default passwords and ensure device identifiers are not publicly visible. If device stickers can be seen in online images, users should remove or replace those pictures to reduce the risk of exploitation.