A researcher found he could continue to track, control and unlock his old car via its mobile app years after trading it in
An IBM researcher has warned that Internet-connected automobiles share the security shortcomings of other “Internet of Things” (IoT) connected devices, and detailed his own experience of a mobile application that allowed him to control his car – including remotely unlocking it – years after he had traded it in.
Charles Henderson, who leads IBM’s X-Force Red security testing group, presented his experiences at at the RSA security conference in San Francisco, where Kaspersky Lab separately detailed its own findings of security flaws in several mobile automobile apps.
When he traded in his car to the dealership, Henderson said he was careful to delete his personal information from the car, reset its phone book, revoke connections to linked devices and reset the garage door opener, and he found the dealership took similar precautions.
He purchased a new car from the same unnamed manufacturer that used the same connected car management app for his mobile device, and noticed that the old car was still listed on the app.
“I didn’t think much of it — I figured there must be a process by which that car would be expired,” he wrote in a blog post.
That wasn’t the case, however, and after more than two years had passed his mobile app still had access to the old car, which had long since been sold to a new owner.
That meant he could not only remotely unlock the vehicle, but also track its location at al times, adjust the climate control, control its GPS systems and trigger its horn.
Such devices are not built with resale in mind, Henderson said, meaning there is no straightforward way for the new owner of a device – including a vehicle – to revoke the access of a previous owner, or even to know who has access.
A factory reset doesn’t lock out mobile control apps, because app access is controlled not by the device itself, but by remote servers to which only the manufacturer has access, Henderson explained.
Because IoT is so new manufacturers generally don’t have any procedure in place for changing ownership information at that server level, he said, although new owners can in some cases request that it be done.
He gave the example of another researcher who purchased a second-hand home automation hub and found two other devices – including one only visible to the remote technical support operator – still had access to the unit.
In that case, the researcher was able to have the previous two devices locked out, but in many cases ordinary consumers might not have even been aware that other people were able to control their product.
“A new homeowner might be living with dozens of smart devices they don’t control,” he wrote. “We know these devices aren’t aware enough to know they’ve been sold — but the bigger problem is that many consumers don’t know they’ve purchased a product with IoT capabilities.”
Henderson tested apps from four major auto makers, and found all allowed previous owners to access the cars after they had been resold.
Henderson suggested IoT device makers – including car manufacturers – should establish a common definition of a factory reset and disclose to their customers what data remains on remote servers after such a reset.
Separately, Kaspersky Lab tested seven automobile apps from undisclosed manufacturers and found that all had vulnerabilities that could allow attackers to access cars, unlocking them and modifying their settings.
While the automobiles themselves were relatively secure, the apps didn’t include sufficient protections against malware, Kaspersky found.
“It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors,” wrote researchers Victor Chebyshev and Mikhail Kuzin. “An evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.”
Do you know all about security in 2017? Try our quiz!