Ian Foster

**Name of the Vulnerable Software and Affected Versions** Android versions 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1 **Description** The issue is related to insufficient access control in the Telephony component of the Android operating system. It allows a remote attacker to elevate privileges using a local malicious application, potentially gaining access to elevated capabilities that are not normally accessible to third-party applications. **Recommendations** For versions 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mobile Devices (aka MDI) C4 OBD-II dongles versions 2.x through 3.4.x **Description** The issue allows remote attackers to obtain access by leveraging knowledge of the required `username` and `password`, due to hardcoded SSH credentials. **Recommendations** For versions 2.x through 3.4.x, consider disabling SSH access until a patch is available. Restrict access to the device to minimize the risk of exploitation. Avoid using the hardcoded `username` and `password` in the affected SSH connection until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mobile Devices (aka MDI) C4 OBD-II dongles versions 2.x through 3.4.x **Description** The issue allows remote attackers to execute arbitrary code by specifying an update server, due to the lack of validation of firmware updates. **Recommendations** For versions 2.x through 3.4.x, update the firmware to a version that includes validation of firmware updates.