A Mobile Application Exposed Passwords and Enabled Car Theft

As you probably know, the tendency to connect everyday objects to the internet is often referred to as the Internet of Things (IoT) revolution, and although nowadays, we ought to be rather careful when using words like 'revolution', in this particular case, it does seem to fit the bill rather well. Shortly after our mobile phones got connected to the internet, they became basically glued to our hands, and manufacturers of all sorts of items decided that we must use them for everything – from turning on the lights to plotting the route of our smart vacuum cleaner. It's not just stuff around the house, either.

More and more new cars come with mobile phone applications that let you remotely turn the AC on or off, unlock the doors, and even start the engine. The thing is, although a smart light bulb is more expensive than its "dumb" counterpart, most people can afford it. With new cars, this is not really the case.

Still, if you are determined to enjoy the benefits of controlling your car through your mobile phone, and if you've got a couple of hundred dollars to spend, you can buy and install some hardware, download an app on your phone, and you too can make your old clunker "smart". The thing is, you might also be putting it at risk.

A remote start application or a joyrider's dream

One of the aftermarket services that let you "smarten up" your old car is called MyCar Controls. It's compatible with several brands of hardware that can be freely bought and installed by a specialist, and the app is available both on the App Store and on Google Play.

Read through the reviews, however, and you'll see that especially over the last few weeks, the application has been misbehaving. People have been experiencing connectivity issues, and they have had trouble logging in to their accounts – a necessary step for using the app's functionality which includes, among other things, locating the connected car, unlocking the doors, and starting the engine.

Automobility Distribution, the company that develops and sells the MyCar Controls app, hasn't responded to the negative reviews, but a security alert from Carnegie Mellon University's CERT Coordination Center might just tell us what's been going on.

It came out on Monday, and it talked about a vulnerability in MyCar Controls mobile applications which could have let "a remote un-authenticated attacker" communicate with the app's backend, retrieve some data, and connect to a target's car. In other words, the vulnerability could have resulted in car theft.

The hole was discovered in January by a security researcher known as Jmaxxz who informed Automobility Distribution immediately. In February, the developer patched the hole with versions 3.4.24 for iOS and 4.1.2 for Android.

This has yet to be confirmed, but the timing suggests that the update might have caused at least some of the login issues reported in the reviews. When reached for comment by ZDNet, Automobility Distribution said that there is no evidence of anyone exploiting the bug in the wild.

Hard-coded credential – the simplest of security blunders

Some security vulnerabilities can have more severe consequences than others, and needless to say, the more serious ones should be treated with higher priority. MyCar Controls' bug, you have to agree, was a big one, and it must be said that by producing a patch quickly, Automobility Distribution handled it rather well, especially when compared to some other IoT vendors.

Security experts reckon that the vulnerability should never have existed in the first place, though. The attack was possible because of some administrative credentials that could have been used instead of the target's username and password. MyCar Controls' developers left the admin credentials in the app's code which, as far as security mistakes go, is a pretty elementary one. The credentials have been revoked meaning that the threat doesn't exist anymore. There is a rather depressing moral to the story, though.

Thanks to the IoT revolution, we are putting more and more valuable belongings in the hands of developers who may or may not know what they're doing. Think about this the next time you are considering spending big money on something silly like a smart baby stroller. Yes, there is one.