MyCar Controls uses hard-coded credentials
Description
The MyCar Controls of AutoMobility Distribution Inc., mobile application contains hard-coded admin credentials. A remote unauthenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle. This issue affects AutoMobility MyCar versions prior to 3.4.24 on iOS and versions prior to 4.1.2 on Android. This issue has additionally been fixed in Carlink, Link, Visions MyCar, and MyCar Kia.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hard-coded admin credentials in MyCar Controls mobile app allow remote unauthenticated attackers to control vehicles and access location data.
Vulnerability
The MyCar Controls mobile application (iOS versions prior to 3.4.24, Android versions prior to 4.1.2) contains hard-coded admin credentials (CWE-798) that can be used to authenticate to the server endpoint for any user's account [4]. The app is used to control aftermarket telematics units that provide remote start, lock/unlock, and GPS location features [1][2][3].
Exploitation
A remote unauthenticated attacker can use the hard-coded credentials to send commands to and retrieve data from a target MyCar unit without needing the user's actual username and password [4]. The attacker only needs network access to the server endpoint; no user interaction is required.
Impact
Successful exploitation allows the attacker to learn the vehicle's location via GPS, and to send commands such as remote start, lock/unlock, and other functions [4]. This could lead to unauthorized physical access to the vehicle and potential theft or surveillance.
Mitigation
AutoMobility released updated mobile apps that remove the hard-coded credentials: iOS version 3.4.24 and Android version 4.1.2 [4]. Additionally, the admin credentials in old versions have been revoked. Users should update their apps. The fix also applies to rebranded versions: Carlink, Link, Visions MyCar, and MyCar Kia [4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.4.24 (iOS), <4.1.2 (Android)
- AutoMobility Distribution Inc./MyCar Controlsv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.kb.cert.org/vuls/id/174715/mitrethird-party-advisoryx_refsource_CERT-VN
- itunes.apple.com/us/app/mycar-controls/id1126511815mitrex_refsource_MISC
- mycarcontrols.commitrex_refsource_MISC
- play.google.com/store/apps/detailsmitrex_refsource_MISC
- www.securityfocus.com/bid/107827mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.