Metromile Information for VU#209512

Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities



Vendor Statement

In June, Metromile learned that several vulnerabilities were discovered in Mobile Devices (MDI) OBD-II dongles that could be used to compromise the devices remotely.  Metromile worked with MDI to ensure that all common configurations of Metromile Pulse, used by our per-mile insurance customers, received OTA updates as soon as possible.  By July 24th, MDI had released updated versions of its 2.x and 3.4.x firmware which resolved the discovered exploits.  As of today, most devices have successfully downloaded and applied the appropriate firmware update and we expect the remainder of devices to be patched by mid-August.  Most devices that have not yet taken the patch show no signs of network activity and have not contacted update servers since before updated firmware was made available.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.