Skip to content
Naked Security Naked Security

Sure, you might have bought the car, but does someone else control it?

A researcher who was able to control his so-called 'smart' car three years after he sold it raises concerns about secondhand IoT devices

Smart cars can be pretty stupid. Thanks to the Internet of Things (IoT), they collect data about you and your driving habits with cloud-based services.

Then, they swap that data back and forth with apps that can control brakes, accelerators, radios, horns and windshield wipers, to lesser or greater degrees of “Holy mackerel, a remote hacker’s steering us into a ditch!!

That would be à la auto hackers Charlie Miller and Chris Valasek and the car models that the security pros persist in, well, driving into a ditch.

Now, an IBM researcher has pointed out that thanks to the smart mobile apps used to unlock a car with your phone, honk the horn and find out its precise location, you can control your car years after you sell it – even if you remove your personal information from the car’s services before you sell it back to the dealership.

The researcher, Charles Henderson, heads up IBM’s penetration testing service X-Force Red. At RSA 2017 last week, Henderson gave a presentation on how the lack of IoT security through a device’s lifecycle isn’t just a smart car problem. It’s a smart everything problem.

When it comes to IoT devices designed for convenience, be it for homes or cars, long-term security is “often overlooked or ignored completely,” he said in his IoT: End of Days session.

Like gum your kid stuck under a seat, that lack of security follow-through is going to stick to an IoT device when it’s sold, Henderson said:

[It] can lead to ongoing problems such as transfer of ownership, unsupported/zombie devices, weak authentication between IoT platforms, and protocol exploits.

His recent research has shown that nobody’s really paying attention to these devices once their original owners pass them on. The manufacturers, and the security industry, have focused on the initial provisioning of the devices, but they’ve forgotten that the IoT isn’t disposable.

It’s resold, it’s transferred … [and] almost no one’s paying attention to the back end of the ownership lifecycle.

That goes for home automation and smart cars alike. CNN quotes Henderson:

The car is really smart, but it’s not smart enough to know who its owner is, so it’s not smart enough to know it’s been resold. There’s nothing on the dashboard that tells you ‘the following people have access to the car’.

Henderson declined to name the make or model of the car in question, but it might not matter all that much, given that the problem seems to be rife: he’s found that cars from four major manufacturers all have apps that allow previous owners to access them from a mobile device.

Henderson was inspired to research IoT security vis-à-vis product lifecycle when he traded in his smart car three years ago. When he traded the car back to the dealership, he thought he had wiped it clean of his personal information. He did a full factory reset on the entertainment unit to wipe his phone number and other details, for example.

The dealership made sure it had all the keys, even checking to see whether additional keys had been issued. But that’s easy: physical security was something the dealer understood.

Cybersecurity? Not so much. Henderson was able to control the car through a mobile app for years. He told CNN that was because only the dealership that originally sold the car can see who has access and manually remove someone from the app. A full factory reset won’t revoke mobile access, Henderson said. While a factory reset wipes local data off a mobile phone so it can be resold, IoT devices store information in the cloud, on servers far away that the original owner can’t get at.

It’s not that auto manufacturers can’t let users wipe the data. It’s that they don’t want to, Henderson said: they fear that users might not do it right, or that anybody – say, a valet – who gets access to the car might revoke the owner’s access.

The explanation we were given was fear of user error. But a PIN system for reset or an authentication-required reset system would be my suggestion.

Owner data can be retained in other IoT devices as well, be they refrigerators, home security systems or connected lightbulbs.

Henderson passed on a number of tips we can use to protect ourselves when we buy used smart stuff:

  • Always check who can access data through user management settings on smart devices.
  • If you buy a home with smart appliances, ask a home inspector who understands security to check them out first.
  • Always ask car dealerships to show you how mobile apps work and to confirm any previous owners are no longer on the app.

Henderson says that users who aren’t tech-savvy might want to consider just buying brand-new gadgets and staying away from the second-hand IoT market.

Only buy new?! Makes my skinflint skin crawl at the thought of it.


3 Comments

You can buy a new car, but whose to say the dealer or one of his staff hasn’t put him/herself on the app while they were preparing it for first delivery?

It’s frustrating how slowly it has taken some car manufacturers to change, but I anticipate Tesla’s model of pushing updates to it’s vehicles will serve as a motivation to the rest. I wonder if manufacturers are worried that they’ll lose another reason to get people to buy a new car, to get the latest infotainment system, but it seems certain to serve them better in the long run.

Sounds like a lawsuit just itching to happen. Even without an accident/collision, the new owner deserves to know that the care is OWNED by them, not pwned by the previous owner(s).
Just think of the terrorism possibilities here: they don’t even have to do anything other than get a job at an auto dealership and plant some names on the hardware.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?