Security researchers have discovered serious vulnerabilities in a popular GPS tracker used in more than a million vehicles worldwide.

According to researchers at security vendor BitSight, the six vulnerabilities in the MiCODUS MV720 vehicle GPS tracker, if exploited, could allow threat actors to access and control the device’s functions, including tracking the vehicle or cutting off its fuel supply. While security experts have raised concerns about the lack of security in smart, internet-enabled devices in general, the BitSight research is particularly concerning for both our privacy and security.

“Unfortunately, these vulnerabilities are not difficult to exploit,” Pedro Umbelino, principal security researcher at BitSight, noted in a press release. “Basic flaws in this vendor’s overall system architecture raise important questions about the vulnerability of other models.”

In the report, BitSight said it targeted the MV720 because it was the company’s least expensive model, offering anti-theft, fuel shutoff, remote control, and geofencing capabilities. The mobile tracker uses a SIM card to send its status and location updates to supporting servers, and is designed to receive commands from its legitimate owners via SMS.