IBM Researcher Warns Of Second-Hand Car Security Risk

An IBM researcher has warned that Internet-connected automobiles share the security shortcomings of other “Internet of Things” (IoT) connected devices, and detailed his own experience of a mobile application that allowed him to control his car – including remotely unlocking it – years after he had traded it in.

Charles Henderson, who leads IBM’s X-Force Red security testing group, presented his experiences at at the RSA security conference in San Francisco, where Kaspersky Lab separately detailed its own findings of security flaws in several mobile automobile apps.


When he traded in his car to the dealership, Henderson said he was careful to delete his personal information from the car, reset its phone book, revoke connections to linked devices and reset the garage door opener, and he found the dealership took similar precautions.

He purchased a new car from the same unnamed manufacturer that used the same connected car management app for his mobile device, and noticed that the old car was still listed on the app.

“I didn’t think much of it — I figured there must be a process by which that car would be expired,” he wrote in a blog post.

That wasn’t the case, however, and after more than two years had passed his mobile app still had access to the old car, which had long since been sold to a new owner.

That meant he could not only remotely unlock the vehicle, but also track its location at al times, adjust the climate control, control its GPS systems and trigger its horn.

Such devices are not built with resale in mind, Henderson said, meaning there is no straightforward way for the new owner of a device – including a vehicle – to revoke the access of a previous owner, or even to know who has access.

Cloud data

A factory reset doesn’t lock out mobile control apps, because app access is controlled not by the device itself, but by remote servers to which only the manufacturer has access, Henderson explained.

Because IoT is so new manufacturers generally don’t have any procedure in place for changing ownership information at that server level, he said, although new owners can in some cases request that it be done.

He gave the example of another researcher who purchased a second-hand home automation hub and found two other devices – including one only visible to the remote technical support operator – still had access to the unit.

In that case, the researcher was able to have the previous two devices locked out, but in many cases ordinary consumers might not have even been aware that other people were able to control their product.

“A new homeowner might be living with dozens of smart devices they don’t control,” he wrote. “We know these devices aren’t aware enough to know they’ve been sold — but the bigger problem is that many consumers don’t know they’ve purchased a product with IoT capabilities.”

Apps vulnerable

Henderson tested apps from four major auto makers, and found all allowed previous owners to access the cars after they had been resold.

Henderson suggested IoT device makers – including car manufacturers – should establish a common definition of a factory reset and disclose to their customers what data remains on remote servers after such a reset.

Separately, Kaspersky Lab tested seven automobile apps from undisclosed manufacturers and found that all had vulnerabilities that could allow attackers to access cars, unlocking them and modifying their settings.

While the automobiles themselves were relatively secure, the apps didn’t include sufficient protections against malware, Kaspersky found.

“It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can be targeted by malefactors,” wrote researchers Victor Chebyshev and Mikhail Kuzin. “An evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything.”

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Tesla Bluetooth Locks Can Be Hacked, Warns NCC Group

Digital locks, including those fitted to Tesla vehicles, are vulnerable to being unlocked via an…

2 hours ago

Twitter Board To ‘Enforce’ Elon Musk Merger Agreement

Legal action ahead? Elon Musk's takeover agreement of Twitter will be enforced says board of…

3 hours ago

Silicon UK In Focus Podcast: Is Your Business Ready for Frontend-as-a-Service?

How could FaaS revolutionise E-commerce? And how can businesses embrace this technology to connect with…

4 hours ago

Uber Eats Offers Two Robo-Delivery Services In California

Uber Eats offers food delivery using Motional autonomous cars in Santa Monica and sidewalk robot…

23 hours ago

Russia ‘Not Planning To Block YouTube’ Says Minister

Digital minister says Russia not planning to block YouTube in the country as Russian users…

1 day ago

Twitter Fights Back Over Musk Bot Allegations

Twitter chief executive Parag Agrawal defends company's estimates of fake accounts as Elon Musk says…

1 day ago