Hardcoded Passwords in Mobile Application Exposed Connected Cars to Remote Attacks

No matter the brand, cars now come equipped with technology and applications that most drivers don’t fully understand. Out of excitement at taking full control of their smart cars, owners immediately agree to link their smartphones and personal accounts to a number of apps and smartphone-controlled devices. But the problem is many have unpatched security glitches.

Thousands of cars were left vulnerable to threat actors looking to mess with their smart settings due to a telematics mobile application operating with hardcoded admin credentials, according to a security alert by the Carnegie Mellon University CERT Coordination Center.

The app in question is MyCar Controls, also known as Carlink, Linkr, Visions MyCar or MyCar Kia, developed by Automobility Distribution Inc. It is extremely popular with both iOS and Android users as it lets them use their smartphones to set the temperature, get info on vehicle location, open the trunk, turn on or off the car’s security alarm or lock and unlock doors, and perform other small tasks.

“MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user’s username and password to communicate with the server endpoint for a target user’s account,” says the report.

Hardcoded passwords are non-encrypted. This is exactly why it was a critical security flaw – it let third parties alter car settings or steal user data from a remote location. Criminals could even access the car physically, researchers explained. The glitch was immediately patched in February and credentials removed.

“No actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems,” said Automobility Distribution for ZDNet.