A Remote-Start App Exposed Thousands of Cars to Hackers
Earlier this year, a security researcher going by the moniker Jmaxxz found three critical vulnerabilities in the MyCar software that lets users remotely connect to their car’s dashboard and perform actions like starting the engine and (un)locking the vehicle. The critical flaws could have enabled hackers to gain access to MyCar’s database and perform remote actions, including those that would allow for vehicle theft, on around 60,000 cars.
The vulnerabilities included the use of hardcoded admin credentials, SQL injection flaws and direct object references vulnerabilities. Each of these allowed the researcher to “locate cars, identify them, unlock them, start the car, trigger the alarm,” and do “really anything a legitimate user could do.” Jmaxxz disclosed the vulnerabilities in February and all of them have been fixed since them.