Slashdot Mirror

← Back to Stories (view on slashdot.org)

Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com)

Posted by EditorDavid on from the tooting-your-own-horn dept.

An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN: Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.

11 of 102 comments (clear)

  1. dealership only sales and service coming soon? or by Joe_Dragon · · Score: 4, Insightful

    dealership only sales and service coming soon? or should end users have a way to do an full reset for free?

  2. Re:dealership only sales and service coming soon? by rmdingler · · Score: 3, Informative
    Dealerships that tote-the-note are familiar with, and quite fond of, maintaining control of some of the apps on your vehicle.

    If you miss a payment or two, they can (sometimes) use GPS to locate the vehicle, disable it remotely, and activate the horn if the vehicle is being sequestered nearby.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  3. Growing Pains by Anonymous Coward · · Score: 3, Interesting

    I just purchased a used vehicle and not only was the former owners phone still programmed to the car but their garage door and childrens phones were too. I wiped it all of course. I was very surprised the dealership didn't wipe it prior to putting out for sale. The vehicle was from another time zone too somewhere in Texas and I'm on the east coast. The wrong time was what originally had me go into the menus and that's where I found the rest of their personally identifiable information. Something to keep in mind prior to selling your vehicle, wipe your dash system phone book and telemetry data.

    Industry still has a lot to learn. They should hire pen testers. Park a few in the lobby of a black hat conference and let people go to town on them, let attendees earn some bounties while there. Get some feedback. It's like auto manufacturers hire programmers fresh out of high school with very little experience especially with security. Also, FFS auto manufacturers allow for firmware updates to update protocols from WEP to WPA2 or whatever comes in the future. Jesus.

    1. Re:Growing Pains by grahamsz · · Score: 3, Interesting

      Rental companies too. I'm surprised by how many rentals I get where people have not only left their phone pairs, but have often synced their entire contact list. I'm disappointed that rental companies don't reset, never crossed my mind that dealers would be so inept.

  4. So much for help from automakers... by rmdingler · · Score: 3, Informative
    (FTA) IBM security researcher Charles Henderson:

    “If I was a consumer who was less than tech-savvy, I would probably consider buying new rather than second-hand for this reason,” he said.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  5. This happens to dumb cars as well... by __aaclcg7560 · · Score: 5, Informative

    Back in the late 1990's, I had a roommate who owned a red Toyota Corolla. After we did some Christmas shopping at a busy mall, we were confused as to where the car got parked. My roommate found a red Toyota Corolla, unlocked the doors with his key, we got in and he started the engine. We immediately knew that something was off. For example, the interior was too clean. My roommate checked the registration to discover that we were in someone else's car. We got out, locked up the car and found his car a few rows over. I read somewhere that car manufacturers make a dozen unique car keys for any particular model, making it possible for any car owner to drive off in someone else's car by accident or on purpose.

  6. Breaking the law? by grahammm · · Score: 4, Interesting

    Are the previous owners not breaking the law by retaining such control? When you sell something then you are supposed to give up all interest and rights to it, to do otherwise is an act of conversion

  7. User data can also be left behind by microcars · · Score: 4, Interesting

    My wife leased a BMW X3 that was a "demo" with 6K miles.
    I found that the dealer had not bothered to wipe any info stored in the car's nav/entertainment system.
    The nav had all the previous destinations stored.
    The radio buttons had been pre-programmed to dial certain numbers and they were still active.
    Previous users music was still loaded in memory.
    I had to purge all this myself and now have to do it again when she turns in the car because I can't trust the dealer to do it.
    I doubt that anyone else really pays attention to this. When I brought it up to the dealer at the first Service interval they just sort of shrugged it off.

    Oh, and when we were being "introduced" to the car's tech, the dealer showed my wife how to download their "app".
    This consisted of going to a BMW web page and then saving the web page to the Home Screen as a shortcut icon.
    When I said that was not an "app", the tech guy just gave me a look.

    --
    I like microcars
  8. Re:dealership only sales and service coming soon? by Rick+Schumann · · Score: 3, Insightful

    I do not currently own a vehicle that has so many bells-and-whistles that there is GPS, or wireless anything in it (it's a light pickup truck with a 5-speed stick, and I like it that way), but if-and-when I have to replace it, and discover I (somehow) have no option but to get something with all those extras, Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio, of course. No one should be able to remotely control any vehicle I'm driving for any reason, ever. I'd consider that to be a gigantic security hole and a safety hazard.

  9. Re:Bigger problem on rental cars by drinkypoo · · Score: 3, Informative

    Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

    Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Re:dealership only sales and service coming soon? by sumdumass · · Score: 3, Informative

    A lot of dealerships have their own buyer financing programs separated by little more than a name. Think along the lines of a buy here pay here dressed up a bit to resemble a real bank loan.

    My current car is financed that way. Due to some screw ups in my credit, I was able to get a car loan a little cheaper in interest rates that way. The finance company is owned entirely by three different dealerships but is called something different and located in another state from those dealerships. I'm not aware of any other connections those three different dealerships have other than owning a finance company that they can use to sell cars to high risk people.