MyCar Remote-Start App Left Thousands of Cars Open to Hackers
Last winter, a hacker who goes by the handle Jmaxxz was looking for a Christmas present for his girlfriend. She’d recently flown back from a work trip and complained that her fingers had been painfully cold on her drive home from the airport, thanks to below-freezing winter weather and a circulatory system condition known as Raynaud’s disease. So Jmaxxz had the idea to buy her a remote starter that would connected to her car’s dashboard and, with an accompanying device and app called Linkr, allow her to start the car’s engine with a tap on her phone. That way, on her next trip, she could start heating up the car as soon as her plane touched down.
Even as he was installing that setup, he had misgivings. As a security-minded software engineer (for a company he declined to name), Jmaxxz wondered what sort of remote hacking he might have left his girlfriend’s car susceptible to. “In the back of my head I kept thinking, ‘What’s the risk of this system? I’m putting her car on the internet,'” he remembers. “I told myself ‘Ignorance is bliss. I’m not going to look at it. Don’t look at it.'”
But Jmaxxz looked at it. And within 24 hours of doing so, in January of this year, he found exactly what he had feared: vulnerabilities that would let any hacker fully hijack that remote unlock and ignition device, providing a handy tool for stealing any of tens of thousands of vehicles. “You could locate cars, identify them, unlock them, start the car, trigger the alarm,” he says. “Really anything a legitimate user could do, you could do.”
“The problem is that these bugs shipped in the first place.”
Jmaxxz, engineer and hacker
In a talk at the DefCon hacker conference today in Las Vegas, Jmaxxz described a series of vulnerabilities in MyCar, a system made by Canadian company Automobility, whose software is rebranded and distributed under names including MyCar Kia, Visions MyCar, Carlink, and Linkr-LT1. MyCar’s devices and apps connect to radio-based remote start devices like Fortin, CodeAlarm, and Flashlogic, using GPS and a cellular connection to extend their range to anywhere with an internet connection. But with any of three different security flaws present across those apps—which Jmaxxz says he reported to the company and have since been fixed—he