App could have let attackers locate and take control of users’ cars

A smartphone app used to control vehicles across North America left them wide open to attackers, it was revealed on Monday. The MyCar application, from Canada-based AutoMobility Distribution, allowed anyone that knew about the vulnerability to control, monitor, and access vehicles from an unauthorized device, experts said.

MyCar is an app available on both iOS and Android devices that serves the aftermarket telematics market. Users can install connected devices into their cars, turning them into IoT devices that they can control via a cellular connection. According to its website, the MyCar app lets users control their cars remotely from anywhere by communicating with one of these devices via AutoMobility Distribution’s servers.

Users can remotely start their car, lock and unlock vehicles, or locate them. Other features include getting the temperature and vehicle battery levels, and sharing your vehicle with other users or even transferring it to a new owner.

The company sells the app under a service plan. Users get the smartphone app, the hardware device to install in their car, and service for a set period of one or three years.

It all sounds very convenient, especially when you want a nice warm car waiting for you on those cold winter mornings. Unfortunately, according to a vulnerability note issued by Carnegie Mellon University’s Software Engineering Institute, the app also enabled attackers to take control of your car.

AutoMobility Distribution’s developers apparently wanted a way to let users access functions in the car without worrying about usernames and passwords, so they committed a cardinal software development sin: They hard-coded administrator credentials directly into the app.