Tens of thousands of cars were left exposed to thieves due to a hardcoded password
The maker of a popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers.
Security
Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February, the security researcher who found this issue told ZDNet today.
Similarly, the hardcoded credentials were also removed on the server-side to prevent any abuse against users who failed to update their apps.
Vulnerability impacts MyCar telematics system
The vulnerability, tracked as CVE-2019-9493, impacts the MyCar telematics system sold by Quebec-based Automobility Distribution.
For ZDNet readers unware of the term, vehicle telematics refers to hardware components that car owners can install in their vehicles to provide 2G/3G-based remote control capabilities over certain car features.
MyCar is one of the more advanced vehicle telematics systems, providing a wealth of useful controls. According to the MyCar website, users can use the MyCar mobile apps "to pre-warm your car's cabin in the winter, pre-cool it in the summer, lock and unlock your doors, arm and disarm your vehicle's security system, open your trunk, and even find your car in a parking lot."
For these reasons, the hardcoded credentials left inside the two MyCar mobile apps were a huge security flaw.
Hardcoded credentials doubled as alternative login system
According to a security alert sent out on Monday by the Carnegie Mellon University CERT Coordination Center, before the updates, any threat actor could have extracted these hardcoded credentials from the app's source code and they could have been used "in place of a user's username and password to communicate with the server endpoint for a target user's account," granting full control over any connected cars --such as locating, unlocking, and starting any connected cars.
It is funnier than that actually, this was used in the account creation process. Had an api to check if the email address you provided was being used. But ‘all’ Apis required auth. So how does one auth before you have an account? Only one answer: hardcoded admin creds
— Jmaxxz (@jmaxxz) April 9, 2019
The hardcoded password was discovered by a security researcher who goes online as Jmaxxz. He told ZDNet that he notied Automobility Distribution on January 25, and they released an update a month later.
Users are advised to update to MyCar for iOS version 3.4.24 or later and MyCar for Android 4.1.2 or later. Updating to these two versions should fix any issues.
Contacted by ZDNet, Automobility Distribution said that during the period the vulnerability had been present in its apps "no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems."
The company resolved its security issue pretty quickly --when compared to some IoT vendors who patch issues after months or years-- but some security experts have argued that the company should have never used hardcoded credentials in its app in the first place, as this universally considered bad security practice.
Article updated with Automobility Distribution statement.
Top vehicle hacking examples (in pictures)
More vulnerability reports:
- Researcher prints 'PWNED!' on hundreds of GPS watches' maps due to unfixed API
- Cisco bungled RV320/RV325 patches, routers still exposed to hacks
- Vulnerability found in Xiaomi phones' pre-installed security app
- Backdoor code found in popular Bootstrap-Sass Ruby library
- Apache web server bug grants root access on shared hosting environments
- Researcher publishes Google Chrome exploit on GitHub
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic