A smartphone app used to control vehicles across North America left them wide open to attackers, it was revealed on Monday. The MyCar application, from Canada-based AutoMobility Distribution, allowed anyone that knew about the vulnerability to control, monitor, and access vehicles from an unauthorized device, experts said.
MyCar is an app available on both iOS and Android devices that serves the aftermarket telematics market. Users can install connected devices into their cars, turning them into IoT devices that they can control via a cellular connection. According to its website, the MyCar app lets users control their cars remotely from anywhere by communicating with one of these devices via AutoMobility Distribution’s servers.
Users can remotely start their car, lock and unlock vehicles, or locate them. Other features include getting the temperature and vehicle battery levels, and sharing your vehicle with other users or even transferring it to a new owner.
The company sells the app under a service plan. Users get the smartphone app, the hardware device to install in their car, and service for a set period of one or three years.
It all sounds very convenient, especially when you want a nice warm car waiting for you on those cold winter mornings. Unfortunately, according to a vulnerability note issued by Carnegie Mellon University’s Software Engineering Institute, the app also enabled attackers to take control of your car.
AutoMobility Distribution’s developers apparently wanted a way to let users access functions in the car without worrying about usernames and passwords, so they committed a cardinal software development sin: They hard-coded administrator credentials directly into the app.
The vulnerability could lead to some serious consequences for users, according to the SEI CERT note, because an attacker could extract the credentials from the source code and use it to communicate with the server to compromise a user’s vehicle:
A remote un-authenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle.
The vulnerability was first reported by a cybersecurity researcher identified as JMaaxz, who also discovered August smart locks leaking their firmware keys in 2016. In late March, he tweeted:
Anyone know how to contact KIA about security issues?—
Jmaxxz (@jmaxxz) March 27, 2019
Then, he tweeted again as the vulnerability went public:
One of the car vulns has been published kb.cert.org/vuls/id/174715/—
Jmaxxz (@jmaxxz) April 08, 2019
AutoMobility Distribution told us that it was made aware of the issue in January, adding:
Since then, all the resources at our disposal have been used to promptly address the situation, and we have fully resolved the issue. During this vulnerability period, no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems.
Luckily, the danger is over. SEI CERT explained that AutoMobility has updated its app to remove the hardcoded credentials, and has revoked the admin credentials in older versions of the app. Other, rebranded versions of the app sold as Carlink, Linkr, Visions MyCar, and MyCar Kia have also been fixed, it added.