Benz's car-only app has a bug that leaks user's personal information to others

Mercedes-Benz, known for its

TV commercialHigh, Mercedes! ”, Distributes the app “ Mergedes me connect ”, which allows you to check the vehicle status at any time by connecting a car and a smartphone or to park remotely. . In this app, it is clear that there was a situation where user information and vehicle information that are not yours were displayed incorrectly.

Mercedes-Benz app glitch exposed car owners' information to other users | TechCrunch

IT news site TechCrunch, the Mercedes Benz's `` Mercedes me connect '' app displayed information about another user's name, recent activity, email address, address, etc. I reported that I confirmed it from the provider. According to this information provider, the problem occurred on Friday, October 18, 2019. A few hours after the issue occurred, the app went offline as “for site maintenance” and was temporarily unavailable.

In recent years, apps that pair with a car and remotely unlock and lock the engine and turn the engine on and off are not uncommon. However, when a car is connected to an app or the Internet, the problem of making it easier to hijack a car when a security bug occurs is also highlighted.

In fact, a movie demonstrating hacking a car that can be connected to the Internet is also released.

Former spy demonstrated fearful car hacking, anything such as operating the brakes and steering wheel-GIGAZINE

One of the information providers is a Mercedes Benz Mercedes me connect app user in Seattle, who told TechCrunch that he was able to confirm that his app has obtained multiple account information for other users. The friend of this person is also the same Mercedes me connect app user, and it is said that another user's account information was also displayed in the app.

The user information and vehicle information displayed in the Mercedes me connect app are as follows. Other users' information is displayed, such as the vehicle information (left) that you are using, the activity (middle) that displays information such as when you used the vehicle, user name, email address, address, etc. Three screens of My Profile (right) displayed.

According to the information provider, although the activity screen such as when the vehicle was used could be checked, it was not possible to track the vehicle position of other users in real time using the function of the application.

When an informant contacted Mercedes-Benz, a customer center representative said that he should “delete the app” until the bug is fixed.

Another information provider contacted another user's contact displayed on his app and confirmed that the location information displayed on the activity screen was correct.

According to the first information provider, after the account information of another user was displayed on the app, the key opening and closing of the vehicle and the engine on / off function stopped working in the app. It seems that the second information provider had not tried either function.

It is not clear at what timing and to what extent this security problem occurred. When TechCrunch contacted Daimler, the parent company of Mercedes-Benz, spokesperson Donna Borland said, “The information displayed was cached information. Financial information, not real-time access to the account. ”Was not displayed, no interaction with the vehicle associated with the account, or location of the vehicle could be determined. After recognizing the problem, the system was shut down and the problem was identified and resolved.” It seems that was obtained.

According to Google Play, the Mercedes me connect app has been installed by more than 100,000 people.

Mercedes me-apps on google play

in Mobile,   Software,   Ride,   Security, Posted by logu_ii