IoT Device Security

Device Security Outlook

Telematics and edge-devices come with a variety of benefits and efficiencies, but also uncertain vulnerabilities. Per the Gartner annual IoT survey, as of the end of 2020, over 20 billion internet-connected devices will be operating globally, a number that is expected to increase exponentially.

With these massive IoT growths, Enterprise security budgets have not been as sufficient as they needed to be to ensure the security and protection of their devices and assets. In the same Gartner annual IoT survey, more than 25% of identified attacks enterprise attacks target IoT devices, while security budgets in those same companies account for less than 10%.

As a result, global data privacy Laws and standards are made more stringent year over year. Below are few of the data privacy law and standards examples enacted/planned over the last decade:

Australia - Australia’s Privacy Act, February 2018.

Brazil - Brazil’s Lei Geral de Proteçao de Dados (LGPD), September 2020

Canada - Digital Charter Implementation Act, Yet to implemented

EU - General Data Protection Regulation(GDPR), May 2018

USA -

  • California Law SB-327, Jan 2020
  • California Consumer Protection Act (CCPA), Jan 2020
  • Massachusetts Security Regulation 201 CMR 17.00, March 2010
  • Nevada Security and Privacy of Personal Information Law, May 2019
  • China – China Cybersecurity Law, June 2017

Device Password Manager Deployment

CalAmp’s Device Password Manager Service will address key security threats/challenges by preventing unauthorized device access. It not only enhances device security but also protects the device and any information contained therein from destruction, use, modification, or disclosure.

CalAmp will be releasing the Device Password Manager Support for product lines in an iterative/phased manner.

The first bulletin, detailing CalAmp’s Phase 2 plan, can be found here

Throughout Phase 2, CalAmp will subsequently introduce Device Password Manager support for additional product lines, as they are validated in iterative bulletins (Phase 2.2, 2.3, 2.4 etc)

Phase 2.1 for the affected devices is scheduled to rollout August, 2021.

Device Password Overview

On LMU8 and older firmware on other platforms, the password is specified in Parameter 2177, Index 0 ("P2177,0") and enabled when S-Register 171 bit 4 ("S171b4") is set.  If S171b4 is clear, P2177,0 is "just another Short String".  P2177,0 can be up to 15 characters. 

On newer firmware, the password is stored in non-volatile memory as a secured password.  With this firmware, the AT#PW command can be used locally to change/clear the password.  The password cannot be changed via SMS.

At boot time, the newer firmware will migrate a P2177,0/S171b4 password into a secured password if the old-style (parameter based) password is detected and a secured password doesn't exist. . Then P2177,0 & S171b4 will both be cleared so the password will no longer be available in plain text.  Subsequent changes to P2177,0/S171b4 will be ignored since the secured password now exists.  This migration happens in two common use cases:

  • A device with a P2177,0/S171b4 password is upgraded from older to newer firmware.
  • A Configuration CSV file is loaded into a device with the newer firmware, usually either over-the-air from DM-CTC/PULS or by CalAmp Production as part of a CRAF (Customer Request Authorization Form).

❗️

When the Device Password Manager is released on specific product lines, ESN-based passwords will no longer be provided, and an existing CRAF cannot override the random primary password.