Vehicle fleet managers that use CalAmp's LMU 3030 OBD-II devices should make sure that SMS messaging is either password-authenticated or disabled altogether.
Vehicle fleet managers that use CalAmp's LMU 3030 OBD-II devices should make sure that SMS messaging is either password-authenticated or disabled altogether.

Certain on-board diagnostics devices used by fleet managers were recently deployed without authentication protections for the SMS text messaging interface – a vulnerability that could allow attackers to take command of these "OBD-II" standard devices or even upload malware that could sabotage a vehicle's systems.

In a vulnerability advisory on Thursday, the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute advised companies using LMU 3030 devices from communications equipment company CalAmp to either set their own passwords or disable SMS. Affected vendors have already been notified and in all cases, the SMS interfaces were subsequently disabled or password protected.

An attacker looking to exploit the vulnerability, which was officially designated CVE-2017-3217, "only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device," the advisory explains. These commands would then give the adversary real-time, continuous access to the device, allowing him to configure IP addresses, firewall rules and passwords, or even upload malware onto older versions of firmware. In such an instance, the malware could potentially compromise a vehicle's CAN bus, the network that allows various microcontrollers and devices to communicate.

CalAmp has provided SC Media with the following statement: "CalAmp takes the security of our telematics devices very seriously. Our security commitment extends to providing customers with best-in-class security feature enhancements, and world-class applications support to combat any system level security vulnerabilities. The CERT vulnerability note... highlights a potential vulnerability for customers who have chosen not to use passwords. These customers are advised to comply with the CERT recommended solutions including the use of passwords, and to update to the latest device firmware to take advantage of enhanced security features.

"In addition to recommending the use of passwords and the use of security features that CalAmp builds into its products, CalAmp continually monitors the latest security trends and works with experts and authorities to ensure that we meet or exceed industry standards for protection," the statement continues.

UPDATE 6/14: The story has been updated to include a statement from CalAmp.