VAR-201508-0605
Vulnerability from variot - Updated: 2025-04-12 23:15Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor says, “This is for developers. / Due to a problem with the debugging device, it is not included in the device for general customers, but is fixed at the current release ( Invalidation ) Has been announced. " Supplementary information : CWE Vulnerability type by CWE-321: Use of Hard-coded Cryptographic Key ( Using hard-coded encryption keys ) Has been identified. http://cwe.mitre.org/data/definitions/321.htmlAn access right may be obtained by using a private key information from another installation by a third party. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning. The vulnerability stems from the fact that different user installers store the same private SSH key
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201508-0605",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "c4 obd-ii dongle",
"scope": "lte",
"trust": 1.0,
"vendor": "mobile devices",
"version": "3.4"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "metromile",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "mobile devices",
"version": null
},
{
"model": "c4 obd2 dongle",
"scope": "eq",
"trust": 0.8,
"vendor": "mobile devices",
"version": "2.x"
},
{
"model": "c4 obd2 dongle",
"scope": "eq",
"trust": 0.8,
"vendor": "mobile devices",
"version": "3.4.x"
},
{
"model": "c4 obd-ii dongle",
"scope": "eq",
"trust": 0.6,
"vendor": "mobile devices",
"version": "3.4"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:mobile_devices:c4_obd-ii_dongle_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
}
]
},
"cve": "CVE-2015-2906",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2015-2906",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-80867",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-2906",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2015-2906",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201508-496",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-80867",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-80867"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers\u0027 installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor says, \u201cThis is for developers. / Due to a problem with the debugging device, it is not included in the device for general customers, but is fixed at the current release ( Invalidation ) Has been announced. \" Supplementary information : CWE Vulnerability type by CWE-321: Use of Hard-coded Cryptographic Key ( Using hard-coded encryption keys ) Has been identified. http://cwe.mitre.org/data/definitions/321.htmlAn access right may be obtained by using a private key information from another installation by a third party. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning. The vulnerability stems from the fact that different user installers store the same private SSH key",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2906"
},
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "VULHUB",
"id": "VHN-80867"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#209512",
"trust": 3.3
},
{
"db": "NVD",
"id": "CVE-2015-2906",
"trust": 2.5
},
{
"db": "JVN",
"id": "JVNVU93910224",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-80867",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "VULHUB",
"id": "VHN-80867"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"id": "VAR-201508-0605",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-80867"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-12T23:15:39.133000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "C4 OBD2 Dongle",
"trust": 0.8,
"url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
},
{
"title": "Mobile Devices Ingenierie C4 OBD2 Dongle Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=226414"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
},
{
"trust": 2.5,
"url": "http://www.kb.cert.org/vuls/id/209512"
},
{
"trust": 0.8,
"url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
},
{
"trust": 0.8,
"url": "http://illmatics.com/car_hacking.pdf"
},
{
"trust": 0.8,
"url": "http://www.autosec.org/pubs/cars-usenixsec2011.pdf"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2906"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu93910224/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2906"
},
{
"trust": 0.8,
"url": "http://www.kb.cert.org/vuls/id/ckig-9zaqgx"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "VULHUB",
"id": "VHN-80867"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "VULHUB",
"id": "VHN-80867"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-11T00:00:00",
"db": "CERT/CC",
"id": "VU#209512"
},
{
"date": "2015-08-23T00:00:00",
"db": "VULHUB",
"id": "VHN-80867"
},
{
"date": "2015-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"date": "2015-08-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"date": "2015-08-23T21:59:02.933000",
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-28T00:00:00",
"db": "CERT/CC",
"id": "VU#209512"
},
{
"date": "2023-02-22T00:00:00",
"db": "VULHUB",
"id": "VHN-80867"
},
{
"date": "2015-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004406"
},
{
"date": "2023-02-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-496"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2015-2906"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-496"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…