VAR-201508-0606
Vulnerability from variot - Updated: 2025-04-12 23:15Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, have hardcoded SSH credentials, which makes it easier for remote attackers to obtain access by leveraging knowledge of the required username and password. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor says, “This is for developers. / Due to a problem with the debugging device, it is not included in the device for general customers, but is fixed at the current release ( Invalidation ) Has been announced. " Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlAn access right may be obtained by using the requested user name and password information by a third party. A remote attacker could exploit the vulnerability with a known username and password to gain access. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201508-0606",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "c4 obd-ii dongle",
"scope": "lte",
"trust": 1.0,
"vendor": "mobile devices",
"version": "3.4"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "metromile",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "mobile devices",
"version": null
},
{
"model": "c4 obd2 dongle",
"scope": "eq",
"trust": 0.8,
"vendor": "mobile devices",
"version": "2.x"
},
{
"model": "c4 obd2 dongle",
"scope": "eq",
"trust": 0.8,
"vendor": "mobile devices",
"version": "3.4.x"
},
{
"model": "devices c4 obd-ii dongles with",
"scope": "eq",
"trust": 0.6,
"vendor": "mobile",
"version": "2.x"
},
{
"model": "devices c4 obd-ii dongles with",
"scope": "eq",
"trust": 0.6,
"vendor": "mobile",
"version": "3.4.x"
},
{
"model": "c4 obd-ii dongle",
"scope": "eq",
"trust": 0.6,
"vendor": "mobile devices",
"version": "3.4"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:mobile_devices:c4_obd-ii_dongle_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
}
]
},
"cve": "CVE-2015-2907",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2015-2907",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CNVD-2015-05628",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-80868",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-2907",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2015-2907",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2015-05628",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201508-497",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-80868",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "VULHUB",
"id": "VHN-80868"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, have hardcoded SSH credentials, which makes it easier for remote attackers to obtain access by leveraging knowledge of the required username and password. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor says, \u201cThis is for developers. / Due to a problem with the debugging device, it is not included in the device for general customers, but is fixed at the current release ( Invalidation ) Has been announced. \" Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlAn access right may be obtained by using the requested user name and password information by a third party. A remote attacker could exploit the vulnerability with a known username and password to gain access. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2907"
},
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "VULHUB",
"id": "VHN-80868"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#209512",
"trust": 3.3
},
{
"db": "NVD",
"id": "CVE-2015-2907",
"trust": 3.1
},
{
"db": "JVN",
"id": "JVNVU93910224",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2015-05628",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-80868",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "VULHUB",
"id": "VHN-80868"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"id": "VAR-201508-0606",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "VULHUB",
"id": "VHN-80868"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-05628"
}
]
},
"last_update_date": "2025-04-12T23:15:39.161000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "C4 OBD2 Dongle",
"trust": 0.8,
"url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
},
{
"title": "Patch for Mobile Devices C4 OBD2 Dongle Access Viability (CNVD-2015-05628)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/63061"
},
{
"title": "Mobile Devices Ingenierie C4 OBD2 Dongle Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=227305"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.9,
"url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
},
{
"trust": 2.5,
"url": "http://www.kb.cert.org/vuls/id/209512"
},
{
"trust": 0.8,
"url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
},
{
"trust": 0.8,
"url": "http://illmatics.com/car_hacking.pdf"
},
{
"trust": 0.8,
"url": "http://www.autosec.org/pubs/cars-usenixsec2011.pdf"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2907"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu93910224/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2907"
},
{
"trust": 0.8,
"url": "http://www.kb.cert.org/vuls/id/ckig-9zaqgx"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "VULHUB",
"id": "VHN-80868"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"db": "VULHUB",
"id": "VHN-80868"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-11T00:00:00",
"db": "CERT/CC",
"id": "VU#209512"
},
{
"date": "2015-08-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"date": "2015-08-23T00:00:00",
"db": "VULHUB",
"id": "VHN-80868"
},
{
"date": "2015-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"date": "2015-08-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"date": "2015-08-23T21:59:04.027000",
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-28T00:00:00",
"db": "CERT/CC",
"id": "VU#209512"
},
{
"date": "2015-08-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-05628"
},
{
"date": "2023-03-01T00:00:00",
"db": "VULHUB",
"id": "VHN-80868"
},
{
"date": "2015-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004407"
},
{
"date": "2023-03-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-497"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2015-2907"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-497"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…