My company uses devices to provide telematics information to manage a fleet of vehicles. I found out these devices...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
may not authenticate SMS messages. What is the best way to build a layer of defense around telematics information?
It's likely your company has been using CalAmp LMU-3030 series products to provide vehicle tracking devices. They include an SMS interface on both code division multiple access (CDMA) and Global System for Mobile communication (GSM) versions.
Managers of fleets of vehicles rely on SMS messages for telematics information on road transportation, road safety, sensor outputs and vehicle maintenance history. For example, vehicles carrying temperature-sensitive drugs and food have their temperatures tracked. The company must meet regulatory compliance on quality assurance and delivery requirements.
Unfortunately, SMS messages, by default, are not password-protected; in fact, the National Institute of Standards and Technology last year recommended that SMS authentication as a second factor be deprecated.
In this case, an attacker could dial in without entering a password. Getting the phone number of the CalAmp is easy with an international mobile subscriber identity (IMSI) catcher. This is a telephony eavesdropping device used to identify users in network traffic. For GSM (and LTE networks), the phone number is provisioned in the SIM card. CDMA2000 is an analogue to a SIM card for GSM.
This password vulnerability can enable the attacker to send administrative commands to the CalAmp device. The attacker could remotely update the firmware with malicious code that could affect the controller area network bus of the vehicle. Fake IP addresses could be configured, firewall rules could be changed and passwords could be created to block the victims.
A malicious SMS message, for example, would show wrong routes, incorrect speeding data, tainted fuel consumption data and confusing maintenance history. The victim would get an alert that a driver who always wears a safety belt was not wearing it while driving. Mechanics would get engine codes to fix the wrong problem.
To build a layer of defense around telematics information, the company should:
- have password protection or disable the SMS interface;
- upgrade to the latest firmware from CalAmp; and
- work with a service provider or systems integrator in complex supply chains to make these changes.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how secure cellular data transmission actually is
Discover whether or not SMS two-factor authentication is really good enough for enterprises
Learn how the internet of things and telematics pose new opportunities for insurers
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Judith Myerson
Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson outlines what the NIST ...continue reading
QNAP vulnerabilities in NAS enabled attackers to control devices. Expert Judith Myerson explains each of the QNAP NAS vulnerabilities and their fixes.continue reading
A vulnerability in Rufus software put some enterprise systems at risk. Expert Judith Myerson explains the flaw and the available fixes for ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.