search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MyCar Controls uses hard-coded credentials

Vulnerability Note VU#174715

Original Release Date: 2019-04-08 | Last Revised: 2019-04-08

Overview

The MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials.

Description

MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation, remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.

Impact

A remote un-authenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle.

Solution

Update Phone App

AutoMobility has updated their mobile apps to remove the hard coded credentials. On iOS the updated version is v3.4.24, and on Android the updated version is v4.1.2.
Additionally the admin credentials in old versions of the mobile application have been revoked.

Vendor Information

The MyCar unit and corresponding mobile application may be rebranded and sold by other vendors as something other than MyCar. Other brands include:

  • Carlink
  • Linkr
  • Visions MyCar
  • MyCar Kia
These brands have also been updated.

174715
 
Affected   Unknown   Unaffected

AutoMobility Distribution Inc

Notified:  January 25, 2019 Updated:  April 08, 2019

Status

  Affected

Vendor Statement

On behalf of the ownership of MyCar Controls,

    We have been made aware of a vulnerability issue in our systems late in January 2019. Since then, all the resources at our disposal have been used to promptly address the situation, and we have fully resolved the issue. During this vulnerability period, no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems.
    Rest assured, the entire organization is focused on making our product the most secure and versatile product in the remote starter industry.
    Passion, hard work and accountability will always be the hallmarks of our organization. We thank you for your understanding and continued support.

    The AutoMobility Management Team

Vendor Information

MyCar is one of AutoMobility Distribution's brands.

Vendor References


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:C
Environmental 1.6 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jmaxxz for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2019-9493
Date Public: 2019-04-08
Date First Published: 2019-04-08
Date Last Updated: 2019-04-08 21:16 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.