10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.013 Low
EPSS
Percentile
86.0%
The MyCar Controls mobile applications prior to v3.4.24 on iOS and prior to v4.1.2 on Android contains hard-coded admin credentials.
MyCar is a small aftermarket telematics unit from AutoMobility Distribution Inc. MyCar add smartphone-controlled geolocation, remote start/stop and lock/unlock capabilities to a vehicle with a compatible remote start unit. The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user’s username and password to communicate with the server endpoint for a target user’s account. This vulnerability affects versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.
A remote un-authenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle.
Update Phone App
AutoMobility has updated their mobile apps to remove the hard coded credentials. On iOS the updated version is v3.4.24, and on Android the updated version is v4.1.2.
Additionally the admin credentials in old versions of the mobile application have been revoked.
The MyCar unit and corresponding mobile application may be rebranded and sold by other vendors as something other than MyCar. Other brands include:
174715
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 25, 2019 Updated: April 08, 2019
Affected
On behalf of the ownership of MyCar Controls,
We have been made aware of a vulnerability issue in our systems late in January 2019. Since then, all the resources at our disposal have been used to promptly address the situation, and we have fully resolved the issue. During this vulnerability period, no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems.
Rest assured, the entire organization is focused on making our product the most secure and versatile product in the remote starter industry.
Passion, hard work and accountability will always be the hallmarks of our organization. We thank you for your understanding and continued support.
The AutoMobility Management Team
MyCar is one of AutoMobility Distribution’s brands.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.9 | E:POC/RL:OF/RC:C |
Environmental | 1.6 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Jmaxxz for reporting this vulnerability.
This document was written by Trent Novelly.
CVE IDs: | CVE-2019-9493 |
---|---|
Date Public: | 2019-04-08 Date First Published: |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.013 Low
EPSS
Percentile
86.0%