The MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials.
MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation, remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.
A remote un-authenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle.
Update Phone App
AutoMobility has updated their mobile apps to remove the hard coded credentials. On iOS the updated version is v3.4.24, and on Android the updated version is v4.1.2.
The MyCar unit and corresponding mobile application may be rebranded and sold by other vendors as something other than MyCar. Other brands include:
AutoMobility Distribution Inc Affected
Notified: January 25, 2019 Updated: April 08, 2019
On behalf of the ownership of MyCar Controls,
We have been made aware of a vulnerability issue in our systems late in January 2019. Since then, all the resources at our disposal have been used to promptly address the situation, and we have fully resolved the issue. During this vulnerability period, no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems.
Rest assured, the entire organization is focused on making our product the most secure and versatile product in the remote starter industry.
Passion, hard work and accountability will always be the hallmarks of our organization. We thank you for your understanding and continued support.
The AutoMobility Management Team
MyCar is one of AutoMobility Distribution's brands.
Thanks to Jmaxxz for reporting this vulnerability.
This document was written by Trent Novelly.
|Date First Published:||2019-04-08|
|Date Last Updated:||2019-04-08 21:16 UTC|