Security researchers discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.

CalAmp is a company that provides backend services for several well-known systems.

Security researchers Vangelis Stykas and George Lavdanis discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.

The experts were searching for security vulnerabilities in the Viper SmartStart system, a device that allows users to remotely start, lock, unlock, or locate their vehicles directly using a mobile app on their smartphones.

As with many other mobile applications, it used secure connections with SSL and Certificate Pinning (Hard-code in the client the certificate is known to be used by the server) to automatically reject a connection from sites that offer bogus SSL certificates.

The experts noticed that the app was connecting to mysmartstart.com domain and also to the third party domain (https://colt.calamp-ts.com/), it is the Calamp.com Lender Outlook service.

The experts discovered that using the credentials for the user created from the viper app it was possible to login the panel.

“This panel seemed to be the frontend for Calamp.com Lender Outlook service. We tried our user created from the viper app, to loginand it worked!” reads the blog post published by Stykas.

“This was a different panel which seemed to be targeted to the companies that have multiple sub-accounts and a lot of vehicles so that they can manage them.” 

Further tests allowed the researchers to verify that the portal was secured, but during the assessment, the experts discovered that the reports were delivered by another dedicated server running tibco jasperreports software.

This was the first time the experts analyzed this type of server, they had to improvise and after removing all parameters they discovered they were logged in as a user with limited rights but with access to a lot of reports.

“None of us were familiar with that so we had to improvise. Removing all the parameters we found out that we were already logged in with a limited user that had access to A LOT of reports.” continues the report.

“We had to run all those reports for our vehicles right? Wellthe ids for the user was passed automatically from the frontend but now we had to provide them from the panel as an input.And…well..we could provide any number we wanted.”

The researchers gained access to all the reports for all the vehicles (including location history), and also data sources with usernames (the passwords were masked and there was no possibility to export them).

The server also allowed for the copying and editing any existing reports.

“We could not create a report or an adhocor pretty much anything else, but we could copy paste existing ones and edit them so we can do pretty much anything.Wecould also edit the report and add arbitrary XSS to steal information but this was not something that we (or anyone in their right lawful mind) would want to do.” continues the report.

The availability of all production databases on the server, including CalAmp connect device outlook, was exploited by the researchers to take over a user account via the mobile application. If the attacker knows the older password for the account can simply walk to the car, unlock it, start the engine, and possibly steal the vehicle.

According to the experts the exploitation of the flaw could allow:

  • Wellthe very obvious just change the user password to a known one go to the car, unlock, start and leave.
  • Get all the reports of where everyone was
  • Stop the engine while someone was driving ?
  • Start the engine when you shouldn’t.
  • Get all the users and leak.
  • As we haven’t actually seen the hardware we might be able to pass can bus messages thoughthe app ?
  • Get all the IoT devices from connectdatabase or reset a password there and start poking around.
  • Really the possibilities are endless…

The experts reported the issue to CalAmp at the beginning of May 2018, and the company addressed the flaw in ten days.

Pierluigi Paganini