Overview
The MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials.
Description
MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation, remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android. |
Impact
A remote un-authenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle. |
Solution
Update Phone App AutoMobility has updated their mobile apps to remove the hard coded credentials. On iOS the updated version is v3.4.24, and on Android the updated version is v4.1.2. |
Vendor Information
The MyCar unit and corresponding mobile application may be rebranded and sold by other vendors as something other than MyCar. Other brands include:
|
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 5.9 | E:POC/RL:OF/RC:C |
| Environmental | 1.6 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Jmaxxz for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2019-9493 |
| Date Public: | 2019-04-08 |
| Date First Published: | 2019-04-08 |
| Date Last Updated: | 2019-04-08 21:16 UTC |
| Document Revision: | 19 |