Assessing the Security of GPS Theft Recovery Systems: A Laboratory Analysis of Spireon MM18 (Kahu/LoJack)

Author: Karim S., Security Expert, Kudelski IoT Security

Last year, Kudelski IoT Security Labs performed several analyses of vehicle theft recovery systems to understand their security maturity level.  One of the major theft recovery player technology they analyzed was Spireon, a company that offers multiple services for both consumers and car dealers through its “Kahu” solution. Note that this solution has recently been rebranded “LoJack” after Spireon acquired the name from CalAmp.

The analysis provided insights into the device security analysis process as well as a technical overview of the security issues discovered on the model (MM18), commonly installed in consumer vehicles.  The analysis demonstrated that the Spireon MM18 device does not implement the correct protection at a hardware level, and that the solution was not created with security in mind since neither authentication nor encryption have been used to impede attackers in any way.  This, in turn, allows attackers to gain a level of access to the device and its data, putting customers at risk that the solution will reveal their location or even prevent their car from starting. Ultimately, this enables attackers to tamper with the device settings or totally replace the application to their needs. Well-established methods to prevent these attacks could have been implemented to prevent these risks but were not.

The above issues were responsibly disclosed to Spireon in June and July 2021 respectively. After extending the standard 90-days embargo period by one month upon request from Spireon, the findings of this analysis are now public.

June 18th, 2021 – Initial disclosure

July 8th, 2021 – Second disclosure

August 25th, 2021 – Call with Spireon

November 30th, 2021 – Publication

Author: Karim S., Security Expert, Kudelski IoT Security Labs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s