Tens of thousands of cars were left exposed to thieves due to a hardcoded password

A patch was rolled out in mid-February and the hardcoded credentials revoked.
Written by Catalin Cimpanu, Contributor
car vehicle

The maker of a popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers.

Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February, the security researcher who found this issue told ZDNet today.

Similarly, the hardcoded credentials were also removed on the server-side to prevent any abuse against users who failed to update their apps.

Vulnerability impacts MyCar telematics system

The vulnerability, tracked as CVE-2019-9493, impacts the MyCar telematics system sold by Quebec-based Automobility Distribution.

For ZDNet readers unware of the term, vehicle telematics refers to hardware components that car owners can install in their vehicles to provide 2G/3G-based remote control capabilities over certain car features.

MyCar is one of the more advanced vehicle telematics systems, providing a wealth of useful controls. According to the MyCar website, users can use the MyCar mobile apps "to pre-warm your car's cabin in the winter, pre-cool it in the summer, lock and unlock your doors, arm and disarm your vehicle's security system, open your trunk, and even find your car in a parking lot."

For these reasons, the hardcoded credentials left inside the two MyCar mobile apps were a huge security flaw.

Hardcoded credentials doubled as alternative login system

According to a security alert sent out on Monday by the Carnegie Mellon University CERT Coordination Center, before the updates, any threat actor could have extracted these hardcoded credentials from the app's source code and they could have been used "in place of a user's username and password to communicate with the server endpoint for a target user's account," granting full control over any connected cars --such as locating, unlocking, and starting any connected cars.

The hardcoded password was discovered by a security researcher who goes online as Jmaxxz. He told ZDNet that he notied Automobility Distribution on January 25, and they released an update a month later.

Users are advised to update to MyCar for iOS version 3.4.24 or later and MyCar for Android 4.1.2 or later. Updating to these two versions should fix any issues.

Contacted by ZDNet, Automobility Distribution said that during the period the vulnerability had been present in its apps "no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems."

The company resolved its security issue pretty quickly --when compared to some IoT vendors who patch issues after months or years-- but some security experts have argued that the company should have never used hardcoded credentials in its app in the first place, as this universally considered bad security practice.

Article updated with Automobility Distribution statement.

Top vehicle hacking examples (in pictures)

More vulnerability reports:

Editorial standards