IBM Researcher Warns Of Second-Hand Car Security Risk

An IBM researcher has warned that Internet-connected automobiles share the security shortcomings of other “Internet of Things” (IoT) connected devices, and detailed his own experience of a mobile application that allowed him to control his car – including remotely unlocking it – years after he had traded it in.

Charles Henderson, who leads IBM’s X-Force Red security testing group, presented his experiences at at the RSA security conference in San Francisco, where Kaspersky Lab separately detailed its own findings of security flaws in several mobile automobile apps.

Trade-in

When he traded in his car to the dealership, Henderson said he was careful to delete his personal information from the car, reset its phone book, revoke connections to linked devices and reset the garage door opener, and he found the dealership took similar precautions.

He purchased a new car from the same unnamed manufacturer that used the same connected car management app for his mobile device, and noticed that the old car was still listed on the app.

“I didn’t think much of it — I figured there must be a process by which that car would be expired,” he wrote in a blog post.

That wasn’t the case, however, and after more than two years had passed his mobile app still had access to the old car, which had long since been sold to a new owner.

That meant he could not only remotely unlock the vehicle, but also track its location at al times, adjust the climate control, control its GPS systems and trigger its horn.

Such devices are not built with resale in mind, Henderson said, meaning there is no straightforward way for the new owner of a device – including a vehicle – to revoke the access of a previous owner, or even to know who has access.

Cloud data

A factory reset doesn’t lock out mobile control apps, because app access is controlled not by the device itself, but by remote servers to which only the manufacturer has access, Henderson explained.

Because IoT is so new manufacturers generally don’t have any procedure in place for changing ownership information at that server level, he said, although new owners can in some cases request that it be done.

He gave the example of another researcher who purchased a second-hand home automation hub and found two other devices – including one only visible to the remote technical support operator – still had access to the unit.

In that case, the researcher was able to have the previous two devices locked out, but in many cases ordinary consumers might not have even been aware that other people were able to control their product.

“A new homeowner might be living with dozens of smart devices they don’t control,” he wrote. “We know these devices aren’t aware enough to know they’ve been sold — but the bigger problem is that many consumers don’t know they’ve purchased a product with IoT capabilities.”

Apps vulnerable

Henderson tested apps from four major auto makers, and found all allowed previous owners to access the cars after they had been resold.

Henderson suggested IoT device makers – including car manufacturers – should establish a common definition of a factory reset and disclose to their customers what data remains on remote servers after such a reset.

Separately, Kaspersky Lab tested seven automobile apps from undisclosed manufacturers and found that all had vulnerabilities that could allow attackers to access cars, unlocking them and modifying their settings.

While the automobiles themselves were relatively secure, the apps didn’t include sufficient protections against malware, Kaspersky found.

“It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors,” wrote researchers Victor Chebyshev and Mikhail Kuzin. “An evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.”

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago