Tens of thousands of vehicles with the MyCar telematics systems were apparently vulnerable to hackers after it was discovered that hardcoded credentials had been left inside various mobile apps.
ZDNet reports that a security researcher discovered the MyCar telematics systems sold by Canada’s Automobility Distribution had a rather easy-to-find weakness.
Hackers could extract hardcoded credentials from the application’s source code and use them “in place of a user’s username and password to communicate with the server endpoint for a target user’s account.” This would have provided them with the ability to gain control over vehicles with the MyCar telematic systems and allowed them to locate vehicles, lock and unlock them, and even start their engines.
MyCar’s mobile apps offer vehicle owners a number of convenient features, such as the ability to pre-warm a car’s cabin in the winter, pre-cool it in the summer, lock and unlock the doors – even arm and disarm a vehicle’s security system. It can also be used to locate a vehicle in places like a parking lot.
It is funnier than that actually, this was used in the account creation process. Had an api to check if the email address you provided was being used. But ‘all’ Apis required auth. So how does one auth before you have an account? Only one answer: hardcoded admin creds
— Jmaxxz (@jmaxxz) April 9, 2019
A security researcher who goes by the nickname Jmaxxz alerted Automobility Distribution to the security lapse on January 25, and reports that the company released a software update rectifying the issue a month later.
In a statement, Automobility Distribution said that, despite the issue, “no actual incident or issue with compromised privacy or functionality has been reported to us or detected by our systems.”
A number of security experts say using hardcoded credentials in applications is universally considered to be a bad security practice.