December 14, 2018
Dear Valued Customer,
A recent disclosure by a security researcher regarding the LMU-3030 was sent to CalAmp’s Product Security team. The researcher claimed that they were able to cause an LMU-3030 to install modified/malicious firmware by redirecting it to a spoofed PULS maintenance server. CalAmp engineering and security reviewed the disclosure and have determined this was not a vulnerability, but rather the result of available security features on the 32-bit platform that were not enabled by the user.
The specific security feature is digital signature checking, which has been supported since PULS version 2.0.2.0 (released March 2017), and 32-bit firmware version 6.1c (released June 28, 2017). When activated, the device and PULS will validate digital signatures (RSA-2048/SHA-256) during a firmware update.
CalAmp recommends that all users enable the Level-1 security feature available on all of its 32-bit devices to significantly enhance the remote access protection in the device. CalAmp also recommends going through the security application note available on PULS Wiki on how to enable the security features.
Thank you for your valued business and continued support,
The Product Management Team
