Network Security, Vulnerability Management

CalAmp vehicle diagnostics devices deployed without SMS authentication protections

Certain on-board diagnostics devices used by fleet managers were recently deployed without authentication protections for the SMS text messaging interface – a vulnerability that could allow attackers to take command of these "OBD-II" standard devices or even upload malware that could sabotage a vehicle's systems.

In a vulnerability advisory on Thursday, the CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute advised companies using LMU 3030 devices from communications equipment company CalAmp to either set their own passwords or disable SMS. Affected vendors have already been notified and in all cases, the SMS interfaces were subsequently disabled or password protected.

An attacker looking to exploit the vulnerability, which was officially designated CVE-2017-3217, "only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device," the advisory explains. These commands would then give the adversary real-time, continuous access to the device, allowing him to configure IP addresses, firewall rules and passwords, or even upload malware onto older versions of firmware. In such an instance, the malware could potentially compromise a vehicle's CAN bus, the network that allows various microcontrollers and devices to communicate.

CalAmp has provided SC Media with the following statement: "CalAmp takes the security of our telematics devices very seriously. Our security commitment extends to providing customers with best-in-class security feature enhancements, and world-class applications support to combat any system level security vulnerabilities. The CERT vulnerability note... highlights a potential vulnerability for customers who have chosen not to use passwords. These customers are advised to comply with the CERT recommended solutions including the use of passwords, and to update to the latest device firmware to take advantage of enhanced security features.

"In addition to recommending the use of passwords and the use of security features that CalAmp builds into its products, CalAmp continually monitors the latest security trends and works with experts and authorities to ensure that we meet or exceed industry standards for protection," the statement continues.

UPDATE 6/14: The story has been updated to include a statement from CalAmp.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.