Slashdot Mirror
Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com)
An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN:
Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.
Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
dealership only sales and service coming soon? or should end users have a way to do an full reset for free?
If upon looking for a new car, the dealership says they have a mobile app for it, turn around and walk away.
As someone considering getting a 'new', used car this year or next, it's pretty apparent I'll need to weed out just who thinks connection it to any network, is a good idea.
The list should become pretty short if any at all. Worst case, I go backwards and fix up something pre-high-tech.
I do not currently own a vehicle that has so many bells-and-whistles that there is GPS, or wireless anything in it (it's a light pickup truck with a 5-speed stick, and I like it that way), but if-and-when I have to replace it, and discover I (somehow) have no option but to get something with all those extras, Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio, of course. No one should be able to remotely control any vehicle I'm driving for any reason, ever. I'd consider that to be a gigantic security hole and a safety hazard.