The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Scout_gps_link | Telenav | 1.0.4 (including) | 1.0.109 (including) |
Common protection mechanisms include:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]