Slashdot Mirror
Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com)
An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN:
Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.
Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
dealership only sales and service coming soon? or should end users have a way to do an full reset for free?
That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
That is a problem on more than 1 level.
Seems likely there will be a counter-trend of new or rebuilt cars without the IoT, perhaps from custom builders or DIY movement. But of course, you'd get a great sound system.
If upon looking for a new car, the dealership says they have a mobile app for it, turn around and walk away.
As someone considering getting a 'new', used car this year or next, it's pretty apparent I'll need to weed out just who thinks connection it to any network, is a good idea.
The list should become pretty short if any at all. Worst case, I go backwards and fix up something pre-high-tech.
If you miss a payment or two, they can (sometimes) use GPS to locate the vehicle, disable it remotely, and activate the horn if the vehicle is being sequestered nearby.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Let's put EVERY SINGLE THING on the internet.
Come on, it's a great idea! It'll go well for sure.
This kind of shit is exactly why I wont ever buy a car that has OnStar or any other connectivity back to the manufacturer.
That includes at least all Buick, Cadillac, GMC, Chevrolet and Tesla vehicles.
I can't imagine how non-technical people cope with the traitorous ways of consumer electronics. The only two reasonable approaches I can come up with are "fuck it, I don't care" and "No thanks, I don't need that."
I just purchased a used vehicle and not only was the former owners phone still programmed to the car but their garage door and childrens phones were too. I wiped it all of course. I was very surprised the dealership didn't wipe it prior to putting out for sale. The vehicle was from another time zone too somewhere in Texas and I'm on the east coast. The wrong time was what originally had me go into the menus and that's where I found the rest of their personally identifiable information. Something to keep in mind prior to selling your vehicle, wipe your dash system phone book and telemetry data.
Industry still has a lot to learn. They should hire pen testers. Park a few in the lobby of a black hat conference and let people go to town on them, let attendees earn some bounties while there. Get some feedback. It's like auto manufacturers hire programmers fresh out of high school with very little experience especially with security. Also, FFS auto manufacturers allow for firmware updates to update protocols from WEP to WPA2 or whatever comes in the future. Jesus.
“If I was a consumer who was less than tech-savvy, I would probably consider buying new rather than second-hand for this reason,” he said.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
This is actually why the FCC came down so hard on GPS and cell jammers. There was one particular lobby that had enough.
I'm in school and have worked lots of oddjobs. I was working at a dealership last year when this came up. I can't tell you the car company it was but this is all enforced dealership to dealership. Most dealerships are LAX.
This article was woefully lacking on information. I didn't know that this was a thing, and I still don't know what manufacturers, models, this is a thing for. Shitty article.
I don't respond to AC's.
Other than Tesla's business software, their car software is majorly secured.
Past users do not get to do this.
I prefer the "u" in honour as it seems to be missing these days.
Back in the late 1990's, I had a roommate who owned a red Toyota Corolla. After we did some Christmas shopping at a busy mall, we were confused as to where the car got parked. My roommate found a red Toyota Corolla, unlocked the doors with his key, we got in and he started the engine. We immediately knew that something was off. For example, the interior was too clean. My roommate checked the registration to discover that we were in someone else's car. We got out, locked up the car and found his car a few rows over. I read somewhere that car manufacturers make a dozen unique car keys for any particular model, making it possible for any car owner to drive off in someone else's car by accident or on purpose.
Are the previous owners not breaking the law by retaining such control? When you sell something then you are supposed to give up all interest and rights to it, to do otherwise is an act of conversion
1G Leafs won't talk to the internets now that AT&T has shut down their 2G network. Take, that, future!
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
For all of the BS things they have used the CFAA, shouldn't this also cover the unauthorized access of computer equipment. Meaning that if you sale a car and do not decouple your phone app, that you can, and should(?), be held accountable?
Also tracking someone without their knowledge, by app or device, is a felony.
We can make short work of this lack of reset feature by prosecuting someone that didn't reset the app and include the manufacturer as an accessory since it is their network and app that makes this intrusion of privacy possible.
My wife leased a BMW X3 that was a "demo" with 6K miles.
I found that the dealer had not bothered to wipe any info stored in the car's nav/entertainment system.
The nav had all the previous destinations stored.
The radio buttons had been pre-programmed to dial certain numbers and they were still active.
Previous users music was still loaded in memory.
I had to purge all this myself and now have to do it again when she turns in the car because I can't trust the dealer to do it.
I doubt that anyone else really pays attention to this. When I brought it up to the dealer at the first Service interval they just sort of shrugged it off.
Oh, and when we were being "introduced" to the car's tech, the dealer showed my wife how to download their "app".
This consisted of going to a BMW web page and then saving the web page to the Home Screen as a shortcut icon.
When I said that was not an "app", the tech guy just gave me a look.
I like microcars
Why would the dealership do this if they aren't holding the paper on the loan? My understanding is that most dealers are independent of the car manufacturers, and are taking out loans (and thus paying interest, one way or another) on the cars that they have in inventory. So why would they making (or at least retaining ownership) in loans for cars that they have sold? Similarly for cars that they are leasing out...
Every week there is at least one, usually more than one, article talking about how apps or software in general are leaking information or clogging up the works in one way or another.
Despite this, all we hear from manufacturers is they're going to rush headlong into installing every privacy leaking, control-without-control, wide-open-to-the-world piece of software into everything they can lay their hands on and worse, making it mandatory this software connects to the Net.
Sheldon, from The Big Bang Theory, once remarked about hotels who don't use real keys for their doors, instead having credit cards to unlock a door. While only a show, the comment has some truth behind it. There is no need to tie everything and anything together with software, especially when that software is not secured in any manner and the user has no control over it, such as in this article.
In GM vehicles with Onstar, you can disable such 'features' by disconnecting the Onstar module which is typically located in the trunk under the spare tire. Black box with power, gps, and cellular connections. There's really no point to having it hooked up if you don't use Onstar, unless you want secret squirrels to be able to track your driving habits. Other cars have a similar setup.
Oh yeah, I'll also add that for many years there have been after market products that replace the Onstar unit entirely in order to make use of the connections without having to rewire your vehicle. I had a project to hook up a custom SBC based box in this fashion using a custom microkernel based OS, but currently in limbo... check out Jaguar's current projects for some leads on already existing frameworks to use of you want access to CAN and other such supposed voodoo via Linux.
I have already decided to never buy a car with one of those annoying screens mounted in the dashboard. Right now I have 2 2000 Fords. I will probably have to upgrade in 10 years or so but hopefully they will have aftermarket delete kits for the computer controlled HVAC by then.
Star Trek, there maybe hope.
Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.
I bought a used 2007 model with keyless drive in 2009. The car's menu system showed three keys assigned to the car, and it only came with two actual keyfobs.
The bigger problem with apps seems to be that you can fire up the app anywhere and do stuff with the car. An "extra" keyfob or a poor keyway design is only really a risk if you have physical access to the car.
Although I'd grant you that a weak keyway design with a limited number of unique keys is probably a real big car theft risk due to the fact that thieves can basically shop any large parking area and match a car.
I do not currently own a vehicle that has so many bells-and-whistles that there is GPS, or wireless anything in it (it's a light pickup truck with a 5-speed stick, and I like it that way), but if-and-when I have to replace it, and discover I (somehow) have no option but to get something with all those extras, Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio, of course. No one should be able to remotely control any vehicle I'm driving for any reason, ever. I'd consider that to be a gigantic security hole and a safety hazard.
The last three cars I've rented had bluetooth to let you make calls over the car's speakers. But the bluetooth functionality also does other stuff like sync contacts and call logs. I could view previous renters' call logs and sometimes the names associated with the calls. The latest car I rented was new so there was no previous renter. But it would also load your text messages over bluetooth and read them back to you over the speakers. I made sure to wipe those before I returned the car, but I'm pretty sure most renters won't know to do that.
Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.
Not for all models. You can do it from MMI on modern cars, or on some older cars (like say the facelifted D2 A8) you can do it with a spock pinch on the cluster buttons. Or of course, you can do it with VAG-COM on those few vehicles which can't be reset without tools from inside the cockpit.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I know how you feel.
I presently have a vehicle with driving 'assists' and it's an effing nightmare when they trigger. There should be only one driver at the wheel thank you.
Any future cars will be early 90's or older and I will do a restoration if I have to.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
A lot of dealerships have their own buyer financing programs separated by little more than a name. Think along the lines of a buy here pay here dressed up a bit to resemble a real bank loan.
My current car is financed that way. Due to some screw ups in my credit, I was able to get a car loan a little cheaper in interest rates that way. The finance company is owned entirely by three different dealerships but is called something different and located in another state from those dealerships. I'm not aware of any other connections those three different dealerships have other than owning a finance company that they can use to sell cars to high risk people.
Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio
Except this might interfere with servicing, when the Dealer requires wireless access to the vehicle for routine activities such as resetting warning lights, upgrading firmware to correct issues, or reading diagnostic codes.
Concern is that at some point, the dealers might make cars that literally stop working if they fail to check in to the dealership's systems for a long enough period of time to verify Software licenses, or something
I've bought tons of used cell phones over the years and it's amazing how many people leave their apps intact and leave themselves signed in. Occaesionally I'll mess with their social media accounts.
I don't think that will be sufficient or even a good plan for the car owner.
The correct and complete solution is simple (and it's high time /. readers start endorsing this to each other and to their Congressional representatives): complete corresponding source code for all of the car's software licensed to the car owner under a free software license. I recommend the AGPLv3 or later in order to help maintain software freedom when people provide remote services to do this job. This would allow the car owner to have an application they trust running on and in the car which allows them to list all connections to other parties and selectively break whichever connections they wish ad-hoc. Few dealers would prefer this because it cuts them out of the loop; only dealers that genuinely want you to have the best available support and service, even extending beyond the dealer's business.
Practical problems with a dealer-only arrangement include: no possibility of getting this fixed ad-hoc (dealers in the US often don't do business on Sundays) which means your privacy means less to them than their ability to engineer new monopolies, no way to trust that the connection to someone's monitor is complete (you're trusting the dealer not to screw you but they have already shown a desire to do that in other ways), dealers are like any other business in that they sometimes go out of business which leaves car owners in the dark for getting this operation done, cooperative dealers are sometimes too far to realistically deal with (if I sell the car from the US mainland to someone in Hawaii they won't want to ship the car back to get this done because their Hawaiian dealer either doesn't exist or isn't cooperative).
Digital Citizen
You'll short out the 'receive only' GPS technology?
Your approach to risk assessment is flawed.
Well, a car that can be controlled by someone else isn't mine. The same goes for a computer. So I won't buy such crap. But feel free to do so and get royally fucked.
That would be an improvement over the current situation where there is less than one driver per vehicle.
Between people yakking on their phones, texting or using apps on their phones, driving is the last priority for them.
I agree. I commuted for a year for 1.5 hours a day one direction on the most dangerous road in the state and it was combative daily just to get to work and back without getting killed, or held hostage at 35mph ( Speed limit is 55 )
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Already on it, but thanks for the heads up.
You're implying I'd take a vehicle to a dealership for any sort of servicing. I do my own maintenance and repair, thank you very much, and of all the places you can get mechanical work done on a vehicle, a dealership is the most expensive choice 100% of the time. Besides which, if it was some warranty or recall situation I can't ignore, you're also implying I'd destroy some vital part of the vehicles' electronics in the process of disabling antennas; I am not some ham-fisted amateur with a soldering iron, I've been working in electronics for more than 30 years. Anything I do would be reversible. Dummy loads can be substituted for transceiver antennas, and the transceiver in question is none the wiser; receive-only antennas can simply be disconnected and shorted to ground. An active GPS antenna (one that has a preamp embedded in the antenna itself) can just be left disconnected; GPS signals are so low that it's not going to get a satellite lock without a proper antenna.
So far as auto manufacturers requiring vehicles to 'phone home' or they'd stop working: Sounds like a lawsuit in the making and a massive recall to me. Also if they actually had the gall to do such a thing, I just plain would refuse to own such a vehicle, because desiging it that way is utterly preposterous.
My desire for privacy includes, naturally, not wanting my movements being tracked. That means disabling any sort of onboard GPS receiver, which is a trivial matter for someone like me; if it's a passive antenna, you disconnect it and short it to ground, or just disconnect it and leave it. GPS signals are so small that the receiver isn't going to get a satellite lock without a proper antenna.
Keeping the GPS receiver active is fine for navigation purposes (provided you have a proper built in nav-system and not that shitty OnStar turn-by-turn); you're not tracked by it directly. It's only the 4G LTE Wireless radio that needs to be disabled. That's where you have the data stream going back to OnStar, and thus to the MyChevrolet or OnStar app, with the read from your GPS for location along with the LTE triangulation to enhance location resolution. You've already stated this as part of your telemetry disablement plan before, but you didn't clarify the part to answer Cederic on what exactly keeps OnStar and its apps from knowing your location and vehicle status as just shorting out the GPS isn't going to stop anything telemetry wise (Cedric's point). Killing the data connection up-link is what's imperative, and that's not through satellites.
Are you serious? Couldn't possibly be because interference to GPS and cell service caused direct risk of life and economic damage? Surely it was lienholders who drove the banning of unlicensed crap radio hardware with wide-band, spurious, and unsuppressed harmonic emissions.
Selling a car and keeping the control is a scam, simple as that. If I buy a used car with an app to control it - I get the phone with that app too. Or no sale.
If I am deceived, the previous owner dare use this control, he might get a very nasty visit some night, where his front door will be 'controlled' with an axe. And then his furniture rearranged by force.
Considering that the software in vehicles is not open-source you can't be sure it's not storing location data for later uploading, which is plausible considering the possible unreliability of wireless communication. Therefore disable the GPS receiver.
Eating -- I mean with a plate and fork -- Make-up application -- Hair Styling -- Turning Around Completely to talk -- Sex -- Urination (I think) -- Photography (Camera and Phone) I know I have seen other stuff. Feel free to add to the list.
You know, I have recently become more aware of how distracting getting audio is these days. In days gone by the car only had a radio with punch buttons for favorites (Provided one set them). Or later slotting in an 8 Track, a cassette, or CD was not too crazy (not always that safe admittedly) But even tuning the radio dial could be done with eyes on the road. One tuned in by ear, of course.
But now? In my new car with the 9 inch touch screen. Bluetooth, Spotify, Sirius XM and all manner of stuff on the console (Not to mention Sat Nav). It's cool, but to be safe it should at least be teed up while stationary. Touch screen to drill down through menus in traffic? Tempting but relatively distracting. (I confess to succumbing to the temptation on occasion.) If content is from my Android phone I can use voice control, which I like. And hands freeis okay. But truth be told even yakking takes some processing power of the driving task.
I would like to have self drive for the boring bits. Volvo is close to launching a workable solution. Testing a hundred SD cars in real world in Sweden right now. Full manual for when I am in control. Driver Assist nanny randomly kicking in while I am in control would make me unhappy. I drive as mindfully as I can. No daydreaming to the extent possible. Eyes on the road reading down lane. Fully present behind the wheel with active situational awareness using mirrors.. My motivation? Calculating the amount of kinetic energy I have accumulated straddling a controlled gasoline bomb in a steel and plastic egg.
"No fear. No envy. No meanness." Liam Clancy
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
It's something to consider when buying proprietary IoT devices...
FTFY