CVE-2015-2906

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:C/I:C/A:C
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
mobile_devicesc4_obd-ii_dongle_firmware
𝑥
≤ 3.4
𝑥
= Vulnerable software versions
References
http://www.kb.cert.org/vuls/id/209512
https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
http://www.kb.cert.org/vuls/id/209512
https://www.usenix.org/conference/woot15/workshop-program/presentation/foster