Saturday, April 10, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Tens of thousands of cars were left exposed to thieves due to a hardcoded password

April 9, 2019
in Internet Security
Tens of thousands of cars were left exposed to thieves due to a hardcoded password
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

The maker of a popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers.

Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February, the security researcher who found this issue told ZDNet today.

You might also like

Washington State educational organizations targeted in cryptojacking spree

Critical Zoom vulnerability triggers remote code execution without user input

Nation-state cyber attacks targeting businesses are on the rise

Similarly, the hardcoded credentials were also removed on the server-side to prevent any abuse against users who failed to update their apps.

Vulnerability impacts MyCar telematics system

The vulnerability, tracked as CVE-2019-9493, impacts the MyCar telematics system sold by Quebec-based Automobility Distribution.

For ZDNet readers unware of the term, vehicle telematics refers to hardware components that car owners can install in their vehicles to provide 2G/3G-based remote control capabilities over certain car features.

MyCar is one of the more advanced vehicle telematics systems, providing a wealth of useful controls. According to the MyCar website, users can use the MyCar mobile apps “to pre-warm your car’s cabin in the winter, pre-cool it in the summer, lock and unlock your doors, arm and disarm your vehicle’s security system, open your trunk, and even find your car in a parking lot.”

For these reasons, the hardcoded credentials left inside the two MyCar mobile apps were a huge security flaw.

Hardcoded credentials doubled as alternative login system

According to a security alert sent out on Monday by the Carnegie Mellon University CERT Coordination Center, before the updates, any threat actor could have extracted these hardcoded credentials from the app’s source code and they could have been used “in place of a user’s username and password to communicate with the server endpoint for a target user’s account,” granting full control over any connected cars –such as locating, unlocking, and starting any connected cars.

It is funnier than that actually, this was used in the account creation process. Had an api to check if the email address you provided was being used. But ‘all’ Apis required auth. So how does one auth before you have an account? Only one answer: hardcoded admin creds

— Jmaxxz (@jmaxxz) April 9, 2019

The hardcoded password was discovered by a security researcher who goes online as Jmaxxz. He told ZDNet that he notied Automobility Distribution on January 25, and they released an update a month later.

Users are advised to update to MyCar for iOS version 3.4.24 or later and MyCar for Android 4.1.2 or later. Updating to these two versions should fix any issues.

Automobility Distribution did not reply to a request for comment before this article’s publication.

The company resolved its security issue pretty quickly –when compared to some IoT vendors who patch issues after months or years– but some security experts have argued that the company should have never used hardcoded credentials in its app in the first place, as this universally considered bad security practice.

More vulnerability reports:


Credit: Source link

Previous Post

Adobe Releases Security Patches for Flash, Acrobat Reader, Other Products

Next Post

The First Machine-Generated Book by a Scholarly Publisher Is a Boring Read

Related Posts

Washington State educational organizations targeted in cryptojacking spree
Internet Security

Washington State educational organizations targeted in cryptojacking spree

April 10, 2021
Critical Zoom vulnerability triggers remote code execution without user input
Internet Security

Critical Zoom vulnerability triggers remote code execution without user input

April 10, 2021
Nation-state cyber attacks targeting businesses are on the rise
Internet Security

Nation-state cyber attacks targeting businesses are on the rise

April 10, 2021
These are the terrible passwords that people are still using. Here’s how to do better
Internet Security

These are the terrible passwords that people are still using. Here’s how to do better

April 9, 2021
Why do phishing attacks work? Blame the humans, not the technology
Internet Security

Why do phishing attacks work? Blame the humans, not the technology

April 9, 2021
Next Post
The First Machine-Generated Book by a Scholarly Publisher Is a Boring Read

The First Machine-Generated Book by a Scholarly Publisher Is a Boring Read

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine Learning in Finance Market is exclusively demanding in forecast 2029 | Ignite Ltd, Yodlee, Trill A.I., MindTitan, Accenture, ZestFinance – KSU
Machine Learning

Machine Learning in Finance Market is exclusively demanding in forecast 2029 | Ignite Ltd, Yodlee, Trill A.I., MindTitan, Accenture, ZestFinance – KSU

April 10, 2021
Vue.js vs AngularJS Development in 2021: Side-by-Side Comparison
Data Science

Vue.js vs AngularJS Development in 2021: Side-by-Side Comparison

April 10, 2021
IBM releases Qiskit modules that use quantum computers to improve machine learning
Machine Learning

IBM releases Qiskit modules that use quantum computers to improve machine learning

April 10, 2021
Hackers Tampered With APKPure Store to Distribute Malware Apps
Internet Privacy

Hackers Tampered With APKPure Store to Distribute Malware Apps

April 10, 2021
5 Dominating IoT Trends Positively Impacting Telecom Sector in 2021
Data Science

5 Dominating IoT Trends Positively Impacting Telecom Sector in 2021

April 10, 2021
One-stop machine learning platform turns health care data into insights | MIT News
Machine Learning

One-stop machine learning platform turns health care data into insights | MIT News

April 10, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Machine Learning in Finance Market is exclusively demanding in forecast 2029 | Ignite Ltd, Yodlee, Trill A.I., MindTitan, Accenture, ZestFinance – KSU April 10, 2021
  • Vue.js vs AngularJS Development in 2021: Side-by-Side Comparison April 10, 2021
  • IBM releases Qiskit modules that use quantum computers to improve machine learning April 10, 2021
  • Hackers Tampered With APKPure Store to Distribute Malware Apps April 10, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates