By: National Motor Freight Traffic Association
In a recent blog by Sam Curry, a web application security researcher, he and colleagues identified several vulnerabilities with Spireon products. The vulnerabilities include obtaining unauthorized (full) administrator access to company-wide administrator panels on the following products: GoldStar, Lojack, FleetLocate, nSpire, Trailer & Asset; they note that some of these are from companies that Spireon has acquired.
There are also other vulnerabilities noted by the researchers and can be found in the following blog post here:
The products that are listed as affected obviously include some that we believe are in use by NMFTA’s fleet members. The researchers do NOT assert that the vulnerabilities in the Spireon products have been fixed before the blog post was published which is in contrast to other instances in the post; NMFTA is lead to believe that these Spireon vulnerabilities are not fixed.
NMFTA recommends that our fleet members that are using Spireon products or products which have been acquired by Spireon contact their suppliers to gain assurances that the issues have been fixed.
NMFTA also recommends that all telematics systems procured by our fleet members are assessed using the NMFTA TSRM https://github.com/nmfta-repo/nmfta-telematics_security_requirements.