Due to misconfigured server, CalAmp allows anyone to access account data

CalAmp Corp. is an Internet of Things solution provider headquartered in Irvine, California, providing back-office services for many well-known automotive anti-theft systems. Recently, security researchers have discovered that a server operated by CalAmp has misconfiguration issues, which has caused anyone to directly access and modify the database and even allow user accounts and vehicles to be taken over.

Security researchers Vangelis Stykas and George Lavdanis discovered this security vulnerability when searching for problems in the Viper SmartStart system, which allows users to remotely start, lock, unlock, or locate their vehicles directly from their smartphones, smartwatches, or wristbands.

The Viper SmartStart system application uses an SSL connection and prevents tampering by using SSL pinning. From this point of view, the application should have been very secure, but the researchers found that it not only connected to the mysmartstart[.]com domain name, but also connected to a third-party domain name (colt.calamp[.]com).

Obviously, this domain belongs to CalAmp. From the web content, this panel is a front-end called “Lender Outlook” service. The service is aimed at companies that have multiple Viper SmartStart system subaccounts and a large number of vehicles to enable more systematic management. Researchers used the user name and password of the Viper SmartStart system application to perform login attempts. It turns out that this is feasible.

Although all data in the domain is properly protected, all reports are provided by another server running Tibco JasperReports software. After deleting all the parameters, the researchers found that although the user account for the login is limited in authority, various reports can be accessed.

“We could not create a report or an adhoc or pretty much anything else, but we could copy paste existing ones and edit them so we can do pretty much anything. We could also edit the report and add arbitrary XSS to steal information but this was not something that we (or anyone in their right lawful mind) would want to do.”

Researchers also stated that as long as they know a user’s old password, they can use the Viper SmartStart system application to make password changes to fully take over the user’s account. Since the user can perform multiple operations on his car through the Viper SmartStart system, if the user account is taken over, the user may be taken over next.

The researchers reported this issue to CalAmp earlier this month and the company resolved the error within 10 days of receiving the report. In addition, they also updated their website to make it easier for security researchers to report on other vulnerabilities they discovered in their CalAmp products.

Source, Image: securityaffairs