Hard-coded credentials in MyCar mobile app leave thousands of cars vulnerable to attacks

• The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials.
• Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.

What is the issue - The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials.

Why it matters?

• These credentials can be used by attackers to communicate and send commands to the target user account’s server endpoint.
• Attackers can also retrieve data such as the target’s location from a target MyCar unit as well as gain unauthorized physical access to a target’s vehicle.

The big picture

The MyCar controls is a vehicle telematics mobile app that allows users to pre-warm or pre-cool their car’s cabin, lock or unlock their car doors, arm or disarm their car’s security system, open their car trunk, as well as track their car in a parking lot.

This mobile application contains hard-coded admin credentials whichcan allow attackers to use the hard-coded credentials in place of a user’s username and password to communicate with the target user account.

“The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account,” Carnegie Mellon University CERT Coordination Center said in a security alert.

This vulnerability impacts all versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.

Patch available - Automobility Distribution, the company behind the MyCar app has released security updates for both Android and iOS apps to remove the hard-coded admin credentials from the apps.

The bottom line - Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.