Assessing the Security of GPS Theft Recovery Systems: A Laboratory Analysis of Spireon MM18 (Kahu/LoJack)

GPS theft recovery systems rely on a connected device installed in the vehicle. This device communicates its location at regular intervals, allowing the car owner to be notified via a smartphone application of its current location or whenever specific events occur, such as geofence entry or exit, low battery, or speed limit violations. Vehicle dealers can also use it to track and protect their vehicle inventory. To ensure the security of GPS theft recovery systems, the devices must be tamper-proof and protect the owner's data. These devices are rendered useless if their security is compromised.

Creating a secure device protects both the continued functionality of the device (tamper protection) and the privacy of the device's owner (data protection). To achieve this, it is critical to ensure that both the proper physical and cybersecurity protections are implemented to safeguard the entire lifecycle of the product. In early 2021, spurred by the alarming increase in auto theft in the U.S., Kudelski IoT Security Labs performed several vehicle theft recovery systems analyses to understand their security maturity level.

To create this level of protection, several different features need to be carefully implemented and then tested by a third-party security lab to prove they reach the required level of security. If the necessary technology is not implemented - or if it is executed incorrectly - not only can the manufacturer suffer significant harm to their business, but they can also undermine consumer confidence in theft recovery solutions as a category in general. Therefore, it is in the interest of the entire value chain that manufacturers invest enough time and effort into the security of their products, calling on experts to help where required.

One of the major theft recovery players in the United States is Spireon, which offers multiple services for consumers and car dealers through its Kahu solution. Note that this solution has recently been rebranded "LoJack" after Spireon acquired the name from CalAmp.

Kudelski's report aims to provide insights into the device security analysis process and a technical overview of the security issues discovered on the model (MM18), commonly installed in consumer vehicles.

Note: Kudelski's findings were presented to Spireon using the commonly accepted responsible disclosure methodology to give companies ample opportunity to respond to and patch security vulnerabilities. We presented our findings to Spireon, intending to help them strengthen their product and thereby the entire theft recovery ecosystem. This report is being published publicly after the expiration of the responsible disclosure period.

Summary of Findings

The following is the summary of Kudelski's findings following a thorough analysis of the MM18 device at their IoT Security Labs in Switzerland.

• There is no physical or hardware security present to prevent tampering with the device
• The device’s position can be easily ascertained once the MSISDN of the SIM card is known
• Other MSISDNs (“Mobile Station International Subscriber Directory Number”, the technical term for the mobile phone number) were easily discovered by probing contiguous phone numbers with simple text commands
• There is no authentication or encryption used to prevent malicious changes to firmware
• The device can be made to report a false position to its owner or law enforcement

For a video summary of these findings, please click.

Conclusion

Kudelski's analysis demonstrates that the Spireon MM18 device does not implement the proper protection at a hardware level. The solution was not created with security in mind since neither authentication nor encryption has been used to impede attackers in any way. This, in turn, allows attackers to gain a level of access to the device and its data, putting customers at risk that the solution will reveal their location or even prevent their car from starting. Ultimately, this enables attackers to tamper with the device settings or replace the application to their needs. Well-established methods to prevent these attacks could have been implemented to prevent these risks but were not.

This is a summary of Kudelski's analysis of the Spireon MM18. You can find the full report here.