Motor vehicle technology and equipment provider AutoMobility Distribution Inc. has updated its MyCar Controls telematics mobile application for iOS and Android in order to eliminate the use of insecure hard-coded credentials.

The MyCar app offers geolocation services as well as remote start/stop and lock/unlock capabilities to vehicles that come with a compatible remote start unit. But the presence of hard-coded credentials could allow unauthenticated attackers to send commands to or retrieve data from a targeted MyCar unit, which in turn would enable them to determine the location of a user or even gain physical access to a vehicle.

This mistake is fixed in version 3.4.24 for iOS and 4.1.2 for Android, according to a vulnerability advisory from the CERT/CC at Carnegie Mellon University’s Software Engineering Institute.. AutoMobility Distribution Inc. also revoked the admin credentials in old versions of the app. Rebranded versions of MyCar such as Carlink, Linkr, Visions MyCar and MyCar Kia were securely updated as well.