Disgruntled Ex-Employee Remotely Disables 100 Cars

hansamurai writes "Over one hundred cars equipped with a Webtech Plus blackbox were remotely disabled when a former employee of dealership Texas Auto Center got hold of his employer's database of users. Webtech Plus is repossession software that allows the dealership to disable a car's ignition or trigger the horn to honk when a payment is due. Owners had to remove the battery to stop the incessant honking. After the dealership began fielding an unusually high number of calls from upset car owners, they changed the passwords to the Webtech Plus software and then traced the IP address used to access the client to its former employee."

I don't understand

[commodoresloat]

Can someone explain this article to me using a car analogy?

Re:I don't understand

[tomhudson]

Can someone explain this article to me using a car analogy?

Sure. You don't qualify for a car loan, but they'll sell you a car, with a 5% per month interest rate, all sorts of fees, and a "you pass by the office by such-and-such a date with the cash or we kill your car" deal. Lots of cash income, much of it undeclared by the dealer, since the financing is not reported to credit rating agencies (it's called "in house financing" for a reason :-)

The car analogy? It's like getting a sh*tty deal on a sh*tty car.

Re:I don't understand

[couchslug]

To be fair, there are plenty of used car dealers who don't overcharge but do sell to not-terribly-reliable clients. They need a way to get their vehicle back when those clients quit paying.

Re:I don't understand

[tomhudson]

To be fair, there are plenty of used car dealers who don't overcharge but do sell to not-terribly-reliable clients. They need a way to get their vehicle back when those clients quit paying.

Here, let me fix that for you:

"To be fair, there are plenty of used car dealers who overcharge when they sell not-terribly-reliable cars to not-terribly-reliable clients. They need a way to get their vehicle back when those clients quit paying so they can flip them to the next sucker."

40% or more a year interest, extra fees, inflated "deposits" that are inevitably forfeited as soon as the sucker is one day late, the car repoed and the customer STILL owes the full amount as damages, "it's not a sale, it's a lease - at the end you can buy it for $100.00" - when at the end it's $100 + fees.

It's the auto equivalent of pay-day loans.

Re:I don't understand

[clarkkent09]

Yet those things have their place too, and they allow the worst of the deadbeats to somehow get a car. After all, it's not like getting a regular car loan from a reputable dealer is particularly difficult. I have a friend who works part time in a $12/hr job, has terrible credit history and no assets worth mentioning and she just got financing for a small used car from Carmax with an interest rate of 16%. People who have to get the deals like you mentioned are the ones that nobody in their right mind would loan money to except under those conditions. If they are being harsher than necessary on their customers then somebody (why not you?) will step in and be a slightly less harsh and take all the business.

Re:I don't understand

[adonoman]

Or you can just set up automatic payments for everything. I'm neither wealthy, nor a school teacher, but every monthly payment I make is automatically pulled out of my bank account without my interference. Car loan, student loans, phone, cell phone, internet, water / sewer, electricity / natural gas, mortgage, city taxes, car insurance, house insurance, even retirement savings, and donations all just happen. My pay-cheque is direct-deposited as well, so really the only interaction I have with the bank is when something changes. Otherwise, all I have to do is check my monthly statements to make sure everything's fine. I've never had a late payment, since in general, it's not up to me to make the payment.

Re:I don't understand

[plover]

Why? Do the "worst of the deadbeats" somehow still deserve credit? Credit isn't a basic human right. For that matter, owning a car isn't a basic human right, either.

If the deadbeats "need" a car, they really "need" to save enough money to buy one. I'm sorry about your destitute friend's situation, but I didn't extend her the credit that she defaulted on in the first place. I didn't give her the bad debt history. If she "hit a rough patch", she was already overextended when she hit it. Her creditors deserved to lose the money they never should have loaned her in the first place, but they also have the right to honestly report her repayment behavior to the credit bureaus -- it's why they keep track of such things.

Anyone stupid enough to loan money to someone who has walked away from their previous debts deserves the chance to lose any money they loan that person. Usurious loans fall under that category, too.

Re:I don't understand

[sodul]

I suppose you are trolling but I'll answer your question: it is because there is a higher risk they will never see their money back. If you lend money to 100 people and 10% of them will not repay you, you cannot expect to gain anything if the loan rate is under 10% do you ? If you take an other set of 100 people where you expect only 1% of non payment then you can give them a much better rate.
It just happen that people with large disposable income are less likely to default on a loan.

Re:I don't understand

[AK+Marc]

If she "hit a rough patch", she was already overextended when she hit it.

That's false. For one, about half of all bankruptcies in the US are caused by people with medical insurance who can't pay their medical bills. And another, if you want to get a divorce, just start an account and tell your partner "that's the divorce account so that I won't be overextended in case of divorce." That's only slightly worse than hiding money away without telling them what it's for.

Re:I don't understand

[ooshna]

Anyone stupid enough to loan money to someone who has walked away from their previous debts deserves the chance to lose any money they loan that person. Usurious loans fall under that category, too.

Must be nice to live in a perfect little world where you are the sole person that can hurt your credit. My uncle doesn't talk to my grandmother because when he was in college she got a few credit cards in his name and destroyed his credit. When he got out of college he had student loans to take care of.

Re:I don't understand

[ePhil_One]

If the deadbeats "need" a car, they really "need" to save enough money to buy one

I've bought 3 cars in my life for under $200 each, you don't "need" to buy a car on credit.

Anyone stupid enough to loan money to someone who has walked away from their previous debts deserves the chance to lose any money they loan that person.

And if they've loaned that money on the condition they can reclaim the car/home/kidney if the debtor stops paying, they have the right to reclaim it. I'm pretty confident those dealers aren't losing money on these loans. Its a much worse deal for the consumer than it is for the dealer, you can be sure of that

Re:I don't understand

[OzPeter]

For one, about half of all bankruptcies in the US are caused by people with medical insurance who can't pay their medical bills.

I used that fact on another forum, and someone countered that the amount of $$$ that the bankruptcies were for was in the order of $1000 or so. My first thought was - "bastard, shoot my argument down why don't you". Then my second thought was "Jeez, is that how little money separates the majority of people from bankruptcy. Thats really sad".

Re:I don't understand

[BitZtream]

You do realize that all of it is in the contract you sign up front so you know what you are spending if you bothered to read.

Second, you won't find a contract that says you have time after the due date before they can collect the item. Every contract states clearly that the instant you are late they can start the recovery process. If you don't want them to start the recovery process, follow the rules. If you don't like the rules, don't sign the contract, its not hard.

Just because you're used to living in a world where companies realize that most of the time its easier to float you a few days than it is to start the collection process and piss you off doesn't mean you have any sort of right or expectation that you should be able to bend the rules of the contract.

Its funny, you think its okay for you to bend the rules, but not for them to make unfair ones.

Thats pretty fucked up if you really sit down and think about it.

Re:I don't understand

[mcpkaaos]

>Its statistics.

No, it's just arithmetic. Stats is concerned with how likely and how often defaults may occur, not the overall gain or loss as a result.

>Perhaps because you aren't very bright?

Don't be a dick unless you are absolutely sure you are right. Even then, don't be a dick.

Re:I don't understand

[innocent_white_lamb]

Or you can just set up automatic payments for everything.
 
This works well up until there is a problem or billing dispute. For example, I know of someone who had automatic payments being made from their account to the electric company. The utility decided that some damage that he didn't think he was responsible for was, in fact, his responsibility so they withdrew $7500 from his bank account. He discovered this when his other cheques and whatnot started bouncing.
 
I have nothing set up for automatic payments. It doesn't take that long to write someone a cheque and put it in the mail, and I retain control of my own bank account and know that money won't be magically disappearing.
 
When it comes to a billing dispute, I would prefer to have them coming after me for money rather than be in a position where I am trying to get my money back from them.
 
I pay my bills but I want to know exactly how much I'm paying and what I got for my money. Then I'll write you a cheque.
 
In that order.

Re:I don't understand

[tomhudson]

They were pulling numbers out of their asses. The Harvard study says it's a lot worse. http://content.healthaffairs.org/cgi/content/full/hlthaff.w5.63/DC1

Among those whose illnesses led to bankruptcy, out-of-pocket costs averaged $11,854 since the start of illness; 75.7 percent had insurance at the onset of illness. Medical debtors were 42 percent more likely than other debtors to experience lapses in coverage. Even middle-class insured families often fall prey to financial catastrophe when sick.

and

Debtors with private insurance at the onset of their illnesses had even higher out-of-pocket costs than those with no insurance (Exhibit 5). This paradox is explained by the very high costs--$18,005--incurred by patients who initially had private insurance but lost i

Just look at the "out-of-pocket" expenses - and keep in mind that this doesn't include having to continue to pay insurance premiums while losing revenue because you're ill ,,, url:http://content.healthaffairs.org/content/vol0/issue2005/images/data/hlthaff.w5.63/DC1/Himmelstein_Ex5.gif?

Re:I don't understand

[Eivind]

If -that- isn't an argument that your medical system is fundamentally FUBARed then I don't know what is.

It's the worlds most expensive by far, has mediocre results (compare infant mortality or any other stat you can think of to any other country that spends above half the amount you spend) AND it regularily brings families into financial ruin, families that are ALREADY facing seriuos health-problems of one of the family-members, even those who HAVE insurance. (nevermind those who don't)

It's COMPLETELY incomprehencible to me that anyone is willing to accept that crap. Seriously.

Re:I don't understand

[silentcoder]

And yet you folks still seem to honestly believe the "socialized medicine" would leave you WORSE off than you are ?

*shakes head sadly*

Re:and

this makes front page of slashdot, why?

Because it makes the idiots who claim this kind of backdoor would never be misused look bad. Why are you protesting so much, anyway?

Re:What a dolt . . .

or the Brown Note?

What a maroon.

If you're going to play around with your ex-employer's systems like that, you don't do it from your own home. You go interstate, to a 'net cafe, and do it from there! Sheesh. Kids these days.

Re:So...

[tomhudson]

How long until the police/feds/intelligence/etc get to start using this on civilians?

They already are. See the latest OnStar commercials. If they're chasing you and you don't stop, they can either slow your car down, kill it, and/or make it start honking and flashing lights. And they can keep you locked in your car.

They've also been caught using it to spy on people by activating the voice channel.

Never buy a vehicle with OnStar.

Re:Should have changed password right away

[MDMurphy]

Since I RTFA I know that he used someone else's password.

Re:and

[DigiShaman]

At least Slashdot got it right unlike Wired who states it was an act of "hacking". WTF Wired, it wasn't a hack. It was as simple act of intrusion without authorization. Nothing special or fancy was required to do so.

Moron

[CSHARP123]

If not that job, go find another what did he achieve doing this may be getting pounding in the ass in Federal Prison. Now he cannot get anymore job anywhere.

Re:Moron

[aztektum]

>.<

Oh man, trying to read that hurt. Punctuation is our friend.

Re:Moron

[Threni]

> Punctuation is our friend.
>
>--
>:: aztek ::
>No sig for you!!

Uh..it's easy to get carried away, however...

This sounds like some great software.

[physicsphairy]

I would definitely be interested in buying a car that can be triggered to shutdown or start blaring its horn remotely! Is there anyway to buy one with a built-in bomb?

Re:This sounds like some great software.

I think a new Toyota would be exactly what you're looking for.

Another disgruntled employee

[CODiNE]

When are bosses going to learn to stop taking away their gruntles??

Re:Another disgruntled employee

[hey!]

"Disgruntled" is a word with very interesting origins. On the surface, it is one of those words (like "non-chalant") that appears to be a compound suggesting a non existent opposite word (like "chalant")

The OED cites P.D. Wodehouse for "gruntled", but obviously Wodehouse was playing with the language here when he suggests that it means "satisfied". "Gruntle" is actually a word, but it is an obsolete one. It is not the opposite of "gruntle". "Gruntle"/"disgruntle" is a word pair more like "flammable"/"inflammable"; the "in-" prefix in "inflammable" is not the "in-" that means "not" ; it is the "in-" prefix that means "in, into or onto". The "in-" in "inflammable" is a cognate of the prefix "en-", as in "enraged".

"Dis-" in "disgruntled" is from a much rarer and erudite Latin sense of "dis", one that means "utterly". Both the "utterly" sense of "dis" and the "not"/"lack"/"opposite of" senses come from a Proto-Indo-European root mean "to separate".

So we should take "disgruntled" to mean "utterly gruntled", not "un-gruntled". So what is "gruntle" supposed to mean? Technically, "gruntle" is the frequentive form of "grunt". A "frequentive" verb is one that indicates a continual, incessant action. The word "gruntle" originally came into English meaning the incessant sounds made by an inconsolably upset pig. Later by metonymy it came also refer to the pig's snout (the part he gruntles with), and later the word was used to describe the faces of people in an unpleasant mood. There are not so many useful Latin prefixes for amplification, and "supergruntled" does not trip off the tongue, so "disgruntled" became the word for a person whose face expressed a very unpleasant mood.

Maroons make the news

[Spy+Handler]

Non-maroons who do stuff like this, do it from net cafes using a chain of anonymous proxys, and they do not get caught.

It's just the maroons like this one that you hear about.

Re:Maroons make the news

[OzPeter]

Non-maroons who do stuff like this, do it from net cafes using a chain of anonymous proxys, and they do not get caught.

It's just the maroons like this one that you hear about.

If I was ever going to consider doing this I'd buy a cheap laptop off Craigslist for cash, and then buy a wireless card for cash from another location, and then drive to some community in the middle of nowhere and look for an open wireless AP. After which I would then pass said laptop through a shedder .. a really big shredder.

Re:Maroons make the news

[base3]

And make for fscking sure you weren't carrying a cell phone with a battery in it, driving a car with OnStar, or doing anything else that can put you anywhere near the location of the AP you're connecting to. Oh, and avoiding cameras would probably be good, too.

Re:Back door?

It is a back door. It's a back door installed by the dealer into your car with the assurance that it won't be misused.

The "front door" would be for them to send you a letter when you miss a payment, and send someone over to repossess the car if you continue to miss them, but I guess they feel that the tiny number of people who would try to steal the car justifies inflicting this system on all of their customers.

Re:Back door?

[bunratty]

The real question is, why is there *one* password for all the cars?

Well, duh! Because it's easier to remember. And it's better than having a post-it for each car -- just one post-it with the one password will do!

Hmm

[ryan.onsrc]

Perhaps Toyota should review which Engineers have been fired lately.

Update of old sticker

[Cryacin]

Honk if you're Hacked!

It's for people with crap credit

[Sycraft-fu]

They don't ask for it, the bank makes it a requirement of the loan. This way if a payment isn't on time, they can turn the car off to force the issue. You aren't going to find it on a car from a dealer, financed by a normal bank. It is for high risk situations.

Re:It's for people with crap credit

[compro01]

Or for people who own cars from GM. Onstar has this same kind of functionality.

And THIS, ladies and gentlemen...

[Spy+der+Mann]

...is the perfect example (and with car analogy indeed) of why DRM and remote product (de)activation is doomed to failure.

Re:And THIS, ladies and gentlemen...

[jimicus]

...is the perfect example (and with car analogy indeed) of why DRM and remote product (de)activation is doomed to failure.

Actually, this is a perfect example of why remote product deactivation is a great idea (it reduces the risk involved in selling a car on credit to people who are lousy credit risks), there are just some glitches that need ironing out. If it had been authenticated with a certificate which could be revoked as soon as the employee left (even better - build the certificate revoking process into the "remove employee from computer system" process) it'd be much less of an issue.

If you want an example of why remote product (de)activation is a lousy idea - and one with a car analogy - there was one on /. a couple of years back about a gated multi-storey car park where the developers of the car-park remotely locked the car park (locking all the cars in) when the owner refused to pay a monthly fee.

Re:Back door?

[Trogre]

No.

The real question is what the blistering hell are remote kill switches doing on cars in the first place?

I'm sure there's an iPhone analogy somewhere here...

Re:and

[ThePengwin]

<sarcasm>
Of course its hacking! how else could someone do that???
Next you're going to say that someone guessing a Facebook password isn't hacking!!!
</sarcasm>

Re:So...

[gandhi_2]

OnStar would interpret such a move as an attack.

Re:Back door?

[Jah-Wren+Ryel]

The real question is, why is there *one* password for all the cars? Shouldn't it be one password for each employee who has access to log into the "car disabling" server which then sends the lockdown signal using a trusted certificate?

They shouldn't have to change the passwords at all, just delete the employee's user account.

No. That's not the real question. It's a stupid ass question because it was answered in article.
Each employee does have an account. His account was even disabled. He used another employee's account.

Man, you got a +5 for "I didn't read the article" - I can understand no one bothering to mod you down, but +5 stupid? Come on...

Re:So...

[YrWrstNtmr]

And do you have any evidence that those things have been used when the owner is driving the car (even if wanted by the police) or only when the car is reported stolen?

Sure. Case in Las Vegas. Note that the FBI's use was not deemed illegal/inappropriate, but rather that it denied the user/owner of use during that time.

Repo in AZ

[Frank+T.+Lofaro+Jr.]

Or do what Arizona does where all the dealer has to do (other than a few formalities) is ask you to return the car, OR ELSE.

Since the OR ELSE in Arizona is a class 6 felony!

Facing up to 2 1/4 years in prison and being a felon for not turning it in makes having repo woman/man kinda redundant (surprisingly they exist, even though a dealer can have the police get the car back for free).

P.S. I'd HATE that law if I was a repo company employee or owner! Less reason to be used, and people in prison don't drive cars and felons have trouble getting them, so bad for repeat business. I can see how the deadbeats were unable to stop such a law, but surprised the repo companies didn't pay someone off to have it not pass or get repealed. There's big money in that business.

Also surprised the repo companies didn't get behind lobbying to make the remote black boxes illegal (have a "consumer protection" front lobby against it). No need to hire a repo company when all you need is a remote shutoff box and a tow truck.

As far as I know AZ is the only state with the law making it a felony to not return a car, although others make it a crime to "conceal collateral" (IL felony (*), CA misdemeanor).

P.P.S.:

(*) IL is probably the state with the most things defined as felonies I have seen. Not NY or CA or UT or anywhere else you'd expect (except maybe FL, but you don't even need to be convicted of a felony - they took people off the voter rolls in 2004 for felonies "committed" in 2007 - plus that state seems to be in a race with TX to see how pro-execution they can be.)

Re:Back door?

[frosty_tsm]

The real question is, why is there *one* password for all the cars?

Well, duh! Because it's easier to remember. And it's better than having a post-it for each car -- just one post-it with the one password will do!

One post-it to rule them all!

It Is My Sad Duty To Inform You...

[hyades1]

Dear Mr. Goosnarp:

I regret to inform you that the dealership no longer requires your services. Please don't assume that we believe you are without value as an employee and a human being, it's just that your particular skillset is not what we really need right now. Although you consistently exhibit a very high level of originality, and your computer skills easily surpass anyone else currently in our employ, we need somebody who pays more attention to the small details (cough) IP addy (cough).

We wish you well in your future endeavors, and would be delighted to supply a positive recommendation to any prospective employers who may contact us...as long as you don't do anything stupid.

Sincerely,

Your Former Boss

Re:They shouldn't be able to listen, but more comp

[dontbgay]

My sister is like that... Willing to remove all risk from her life and put control in the hands of other people for the safety of her kids. That's all well and good, but I don't need someone having the ability to remotely disable my automobile regardless of my distance from the person with their finger on the button. Sure, responsibility for my family is is important, but I don't need the specter of a nanny snooping in and judging me because I want to listen to some Middle Eastern music.

Life is risk. When you shed risk, it's usually at a price.

Re:and

[hansamurai]

When I submitted it I made a particular point to remove the references to "hacking".

Re:Back door?

[KingMotley]

But what happens after the last payment is made?

Re:So...

[tomhudson]

Sounds like GM can forget about getting any of my money.

they already got it - billions of it. Bail-out bux.

power imbalance

[circletimessquare]

whenever there is a power imbalance: little guy versus organization, things like desperation can move idiots to sign really stupid contracts. therefore, if the contract itself is abusive and usurious, it does not matter that you signed the contract, what matters is that one side of the contract, the one with more power, agreed to put someone in a financially abusive situation

i can make a contract that says "if you are a day late, i get your firstborn", and some idiot will still sign that contract. because people are idiots. but the observation does not end there: evil is worse than stupid

making abusive contracts is a form of preying on the weak and helpless and stupid. the weak and helpless and stupid must be protected by society, not because they deserve it, but because the assholes who prey on them get even more powerful, and pretty soon they're enforcing abusive terms on average intelligence folks of average means

so for a well functioning society, you need to punish the usurious, you need to punish those who make up abusive terms. they are far far worse than complete idiots

not really $1000

[Uksi]

Here's a study: http://download.journals.elsevierhealth.com/pdfs/journals/0002-9343/PIIS0002934309004045.pdf ("Medical Bankruptcy in the United States, 2007: Results of a National Study")

"92% of these medical debtors had medical debts over $5000, or 10% of pretax family income. The rest met criteria for medical bankruptcy because they had lost significant income due to illness or mortgaged a home to pay medical bills. Most medical debtors were well educated, owned homes, and had middle-class occupations. Three quarters had health insurance."

So while the medical debt is not necessarily sky-high, losing your job due to illness means that you are screwed on all your debts. Car, house, etc.

Also, further down: "Out-of-pocket medical costs averaged $17,943 for all medically bankrupt families" ... this means that these families successfully paid A LOT of money (~$13K) before declaring bankruptcy and ending up in an average of ~$5K of medical debt. These are not the people that ran up huge consumer debts and declared bankruptcy. These are the people that paid every bill until they just had no money left.