MyCar, an app available on iOS and Android platforms, allows the user of the app to remote start, lock or unlock the vehicle doors, locate their vehicle and arm or disarm the alarm system, has been found to be vulnerable to attackers who attempt to steal the user’s credentials. Admin credentials are hard-coded into the app and allow an attacker to access the user’s personal data, location of the vehicle and to even physically enter the vehicle. The company that developed the app, Automobility Distribution Inc, has provided an update for the system that revokes the admin credentials and reverts to the user’s individual username and password. Several rebranded versions of the MyCar app are MyCar Kia, Carlink, Linkr and Visions MyCar, which have all been included in the latest update.
Users should update to MyCar iOS version 3.4.24 or MyCar for Android version 4.1.2 to fix the issue and remove admin controls.