Hard-coded credentials in MyCar mobile app leave thousands of cars vulnerable to attacks
- The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials.
- Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.
What is the issue - The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials.
Why it matters?
- These credentials can be used by attackers to communicate and send commands to the target user account’s server endpoint.
- Attackers can also retrieve data such as the target’s location from a target MyCar unit as well as gain unauthorized physical access to a target’s vehicle.
The big picture
The MyCar controls is a vehicle telematics mobile app that allows users to pre-warm or pre-cool their car’s cabin, lock or unlock their car doors, arm or disarm their car’s security system, open their car trunk, as well as track their car in a parking lot.
This mobile application contains hard-coded admin credentials whichcan allow attackers to use the hard-coded credentials in place of a user’s username and password to communicate with the target user account.
“The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account,” Carnegie Mellon University CERT Coordination Center said in a security alert.
This vulnerability impacts all versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.
Patch available - Automobility Distribution, the company behind the MyCar app has released security updates for both Android and iOS apps to remove the hard-coded admin credentials from the apps.
The bottom line - Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.