Used Cars Can Still Be Controlled By Their Previous Owners' Apps

An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN: Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.

dealership only sales and service coming soon? or

[Joe_Dragon]

dealership only sales and service coming soon? or should end users have a way to do an full reset for free?

Re:dealership only sales and service coming soon?

[rmdingler]

Dealerships that tote-the-note are familiar with, and quite fond of, maintaining control of some of the apps on your vehicle.

If you miss a payment or two, they can (sometimes) use GPS to locate the vehicle, disable it remotely, and activate the horn if the vehicle is being sequestered nearby.

Re:

[BeauSD]

This is actually why the FCC came down so hard on GPS and cell jammers. There was one particular lobby that had enough.

I'm in school and have worked lots of oddjobs. I was working at a dealership last year when this came up. I can't tell you the car company it was but this is all enforced dealership to dealership. Most dealerships are LAX.

Re: dealership only sales and service coming soon?

[Anonymous Coward]

In GM vehicles with Onstar, you can disable such 'features' by disconnecting the Onstar module which is typically located in the trunk under the spare tire. Black box with power, gps, and cellular connections. There's really no point to having it hooked up if you don't use Onstar, unless you want secret squirrels to be able to track your driving habits. Other cars have a similar setup.

Re:

[trg83]

Are you serious? Couldn't possibly be because interference to GPS and cell service caused direct risk of life and economic damage? Surely it was lienholders who drove the banning of unlicensed crap radio hardware with wide-band, spurious, and unsuppressed harmonic emissions.

Re:dealership only sales and service coming soon?

[sumdumass]

A lot of dealerships have their own buyer financing programs separated by little more than a name. Think along the lines of a buy here pay here dressed up a bit to resemble a real bank loan.

My current car is financed that way. Due to some screw ups in my credit, I was able to get a car loan a little cheaper in interest rates that way. The finance company is owned entirely by three different dealerships but is called something different and located in another state from those dealerships. I'm not aware of any other connections those three different dealerships have other than owning a finance company that they can use to sell cars to high risk people.

Re:dealership only sales and service coming soon?

[Rick Schumann]

I do not currently own a vehicle that has so many bells-and-whistles that there is GPS, or wireless anything in it (it's a light pickup truck with a 5-speed stick, and I like it that way), but if-and-when I have to replace it, and discover I (somehow) have no option but to get something with all those extras, Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio, of course. No one should be able to remotely control any vehicle I'm driving for any reason, ever. I'd consider that to be a gigantic security hole and a safety hazard.

Re:

[Hylandr]

I know how you feel.

I presently have a vehicle with driving 'assists' and it's an effing nightmare when they trigger. There should be only one driver at the wheel thank you.

Any future cars will be early 90's or older and I will do a restoration if I have to.

Re:

[tlhIngan]

I presently have a vehicle with driving 'assists' and it's an effing nightmare when they trigger. There should be only one driver at the wheel thank you.

That would be an improvement over the current situation where there is less than one driver per vehicle.

Between people yakking on their phones, texting or using apps on their phones, driving is the last priority for them.

Re:

[Hylandr]

I agree. I commuted for a year for 1.5 hours a day one direction on the most dangerous road in the state and it was combative daily just to get to work and back without getting killed, or held hostage at 35mph ( Speed limit is 55 )

Distractions I have seen with car in motion

[bdwoolman]

Eating -- I mean with a plate and fork -- Make-up application -- Hair Styling -- Turning Around Completely to talk -- Sex -- Urination (I think) -- Photography (Camera and Phone) I know I have seen other stuff. Feel free to add to the list.

You know, I have recently become more aware of how distracting getting audio is these days. In days gone by the car only had a radio with punch buttons for favorites (Provided one set them). Or later slotting in an 8 Track, a cassette, or CD was not too crazy (not alwa

Re:

[mysidia]

Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio

Except this might interfere with servicing, when the Dealer requires wireless access to the vehicle for routine activities such as resetting warning lights, upgrading firmware to correct issues, or reading diagnostic codes.

Concern is that at some point, the dealers might make cars that literally stop working if they fail to check in to the dealership's systems for a long enough period of t

Re:

[Rick Schumann]

You're implying I'd take a vehicle to a dealership for any sort of servicing. I do my own maintenance and repair, thank you very much, and of all the places you can get mechanical work done on a vehicle, a dealership is the most expensive choice 100% of the time. Besides which, if it was some warranty or recall situation I can't ignore, you're also implying I'd destroy some vital part of the vehicles' electronics in the process of disabling antennas; I am not some ham-fisted amateur with a soldering iron, I

Re:

[Cederic]

You'll short out the 'receive only' GPS technology?

Your approach to risk assessment is flawed.

Re:

[Rick Schumann]

My desire for privacy includes, naturally, not wanting my movements being tracked. That means disabling any sort of onboard GPS receiver, which is a trivial matter for someone like me; if it's a passive antenna, you disconnect it and short it to ground, or just disconnect it and leave it. GPS signals are so small that the receiver isn't going to get a satellite lock without a proper antenna.

Re:

[RavenLrD20k]

Keeping the GPS receiver active is fine for navigation purposes (provided you have a proper built in nav-system and not that shitty OnStar turn-by-turn); you're not tracked by it directly. It's only the 4G LTE Wireless radio that needs to be disabled. That's where you have the data stream going back to OnStar, and thus to the MyChevrolet or OnStar app, with the read from your GPS for location along with the LTE triangulation to enhance location resolution. You've already stated this as part of your telem

Re:

[Rick Schumann]

Considering that the software in vehicles is not open-source you can't be sure it's not storing location data for later uploading, which is plausible considering the possible unreliability of wireless communication. Therefore disable the GPS receiver.

Re: dealership only sales and service coming soon?

[thundercattt]

Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.

Re:

[drinkypoo]

Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.

Not for all models. You can do it from MMI on modern cars, or on some older cars (like say the facelifted D2 A8) you can do it with a spock pinch on the cluster buttons [quattroworld.com]. Or of course, you can do it with VAG-COM [quattroworld.com] on those few vehicles which can't be reset without tools from inside the cockpit.

Software freedom for cars is necessary.

[jbn-o]

I don't think that will be sufficient or even a good plan for the car owner.

The correct and complete solution is simple (and it's high time /. readers start endorsing this to each other and to their Congressional representatives): complete corresponding source code for all of the car's software licensed to the car owner under a free software license. I recommend the AGPLv3 or later in order to help maintain software freedom when people provide remote services to do this job. This would allow the car owner t

another case of fundamental bad design

[Anonymous Coward]

That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

That is a problem on more than 1 level.

Re:

[BitterOak]

That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

That is a problem on more than 1 level.

It's not bad design from the point of view of the dealer. This basically means that all used car sales will have to go through a dealership. It will be the end of private used car sales. This was probably by design.

Re:

[mysidia]

No... it doesn't mean the sales have to go through the dealership.
It does mean that the Dealership gets to charge Tax/Service fee to correct the Links apps thing.

But there are other Reasons you might need to change authorized phones other than change of ownership for the car...

For example: Your Cell phone was stolen and you can't wipe the app off, Or you got a divorce, etc, etc.

Note to self.

[Anonymous Coward]

If upon looking for a new car, the dealership says they have a mobile app for it, turn around and walk away.

As someone considering getting a 'new', used car this year or next, it's pretty apparent I'll need to weed out just who thinks connection it to any network, is a good idea.

The list should become pretty short if any at all. Worst case, I go backwards and fix up something pre-high-tech.

Re:

[WindBourne]

nope. Not all are created equal.
There is a real reason why Tesla's only get stolen IFF, somebody can steal your phone and multiple layers of passwords, OR just your keyfob.
All in all, Tesla is a secured system, esp with the software.

Re:

[GNious]

I must be tired, but ... Telsa cars have an IFF system?!?

Re:

[Anonymous Coward]

The gpp's IFF has identified you as a friend of military aviation and a foe of logic abbreviations.

Re:

[Cederic]

Of course. This is why they need autopilot and sub-three second acceleration: Once Elon flips the toggle they become kinetic weapons that will avoid destroying each other.

Re:

[WindBourne]

designed for EMS.
Oddly, I think that the American version is different than the European version, which I know is different from the Chinese version.
I am guessing that China required too much information so Tesla gutted a lot of things for them.

Just don't buy them.

[JustNiz]

This kind of shit is exactly why I wont ever buy a car that has OnStar or any other connectivity back to the manufacturer.

That includes at least all Buick, Cadillac, GMC, Chevrolet and Tesla vehicles.

Re:

[Anonymous Coward]

Good luck with that.

Exactly that. If enough other people buy them - and they will - then before long there won't be any other kind of car sold.

Sure, used cars blah blah blah, but after a while they will get old, unreliable, and expensive to keep operating. It might work out for some people, but don't pretend there's not a real loss if the whole market shifts over to "internet enabled" automobiles. And washing machines. And TV sets. And toasters. And pacemakers. And microwave ovens. And vacuum cleaners. And refrigerato

Re:

[Hylandr]

Your phone already does all that anyways.

Re:

[sumdumass]

IT will also be some time before a bicycle is capable of getting most people to and from work or to the nearest store with enough groceries to come back that will last through weather and other reasons you wouldn't necessarily be wanting to peddle a bike all over the place.

They are great when you are a kid and can take an hour to get across town or happen to be shoved onto some population center so dense you cannot pass gas without someone knowing it. But for the rest of the world, a bit impractical outside

Re: Just don't buy them.

[anegg]

Exactly this. It's already happened with software. Windows 10 for example, numerous applications. The software phones home regularly, the original vendor has configuration/change management hooks, and the original vendor controls ownership. The only way to avoid such a future that I think has a chance of working is through government regulation that blocks the tendency for vendors to build in this level of control. The vast masses tend to be too busy living their lives to fully grasp the risks and prov

Re:

[sumdumass]

You mean taxis? Because Uber is more or less a taxi service with regular people using their cars they own as the taxi.

I'm not sure you thought that comment out enough. Or do you think we can do away with farms because food comes from the grocery stores?

Re:

[JustNiz]

Yeah sure they are.
https://www.washingtonpost.com... [washingtonpost.com]
https://www.theguardian.com/te... [theguardian.com]
http://www.cnbc.com/2016/09/20... [cnbc.com]

>>You lose asshole.
Compared to you? Nope. with a dick attitude like that, you lose at your whole life.

Re:

[JustNiz]

>>The only known crack on that which was taken care of quickly.

At least read the articles before you show your ignorance.It was 3 different attacks.

>> YOU are welcome to try and steal our Tesla.
Sorry but I don't like them. you can keep it.

>> a cocksucker like you
Thanks for continually reemphasizing your own intellectual shortcomings. Or perhaps you are compensating for something else.

Re:

[WindBourne]

Once you are finished with high school, go back for remedial reading.
They are the SAME crack. The fact that all 3 were from Sept 2016, had the same 3 guys and described the same attack in the same fashion, should be a clue that it was only 1 attack.

Re:

[JustNiz]

>> Once you are finished with high school, go back for remedial reading.

Perhaps I'll talk to you again if you ever learn to communicate like an adult.

Re:

[WindBourne]

yeah, that is why I keep nothing there. That IS a real security issue. Thankfully, it does not allow you to get into the cabin.

Growing Pains

[Anonymous Coward]

I just purchased a used vehicle and not only was the former owners phone still programmed to the car but their garage door and childrens phones were too. I wiped it all of course. I was very surprised the dealership didn't wipe it prior to putting out for sale. The vehicle was from another time zone too somewhere in Texas and I'm on the east coast. The wrong time was what originally had me go into the menus and that's where I found the rest of their personally identifiable information. Something to keep in mind prior to selling your vehicle, wipe your dash system phone book and telemetry data.

Industry still has a lot to learn. They should hire pen testers. Park a few in the lobby of a black hat conference and let people go to town on them, let attendees earn some bounties while there. Get some feedback. It's like auto manufacturers hire programmers fresh out of high school with very little experience especially with security. Also, FFS auto manufacturers allow for firmware updates to update protocols from WEP to WPA2 or whatever comes in the future. Jesus.

Re:Growing Pains

[grahamsz]

Rental companies too. I'm surprised by how many rentals I get where people have not only left their phone pairs, but have often synced their entire contact list. I'm disappointed that rental companies don't reset, never crossed my mind that dealers would be so inept.

Re:

[zippthorne]

It honestly never crossed my mind that dealers would be apt in this case. I fully expect that the dealer you sell it to not to bother at all with any electronic stuff, and the original dealer not to have any idea how to do a full factory reset of any data-retaining components (if that's even possible), and certainly no interest in telling you how to do it since you're not going to be a customer any more.

So much for help from automakers...

[rmdingler]

(FTA) IBM security researcher Charles Henderson:

“If I was a consumer who was less than tech-savvy, I would probably consider buying new rather than second-hand for this reason,” he said.

What cars? What apps?

[DogDude]

This article was woefully lacking on information. I didn't know that this was a thing, and I still don't know what manufacturers, models, this is a thing for. Shitty article.

Got to love tesla

[WindBourne]

Other than Tesla's business software, their car software is majorly secured.
Past users do not get to do this.

This happens to dumb cars as well...

[__aaclcg7560]

Back in the late 1990's, I had a roommate who owned a red Toyota Corolla. After we did some Christmas shopping at a busy mall, we were confused as to where the car got parked. My roommate found a red Toyota Corolla, unlocked the doors with his key, we got in and he started the engine. We immediately knew that something was off. For example, the interior was too clean. My roommate checked the registration to discover that we were in someone else's car. We got out, locked up the car and found his car a few rows over. I read somewhere that car manufacturers make a dozen unique car keys for any particular model, making it possible for any car owner to drive off in someone else's car by accident or on purpose.

Re:

[pjbgravely]

Toyota, I think the Camry was the worst had only a small number of different key cuts. If you owned all the keys you could get into and drive any car ( pre-chipped keys). I used to save keys from ever car we owned so if we got a free car with missing keys we might already have the right one.

Keyless drive, too

[swb]

I bought a used 2007 model with keyless drive in 2009. The car's menu system showed three keys assigned to the car, and it only came with two actual keyfobs.

The bigger problem with apps seems to be that you can fire up the app anywhere and do stuff with the car. An "extra" keyfob or a poor keyway design is only really a risk if you have physical access to the car.

Although I'd grant you that a weak keyway design with a limited number of unique keys is probably a real big car theft risk due to the fact that

Re:

[Stonent1]

I unlocked and started my Aunt's Dodge Neon once using my Mom's key from her Jeep. I did it just to see if it could be done. I put the key in and jiggled it a bit and it worked.

Re:

[sysrammer]

Ditto w/ Ford Taurus 87. My Dad had said "This isn't our car" and I said "I just opened the door" and he said "oh, well then..." and I started the car. He got in and his 6+ foot frame was scrunched up because the seat was moved forward. I said "This isn't our car". In his 80+ years he had never seen anything like that. We got a good kick out of that.

Breaking the law?

[grahammm]

Are the previous owners not breaking the law by retaining such control? When you sell something then you are supposed to give up all interest and rights to it, to do otherwise is an act of conversion [wikipedia.org]

Re:

[loonycyborg]

They want people to always buy cars new so they want to complicate resale as much as possible. If you're at risk of becoming a criminal just because you're not doing some obscure extra steps during resale then that's just perfect.

Re:

[Zaelath]

"Ignorance is no excuse in the eyes of the law".

Uh huh, but you also need mens rea unless it's a strict liability offence.

The internet is the biggest source of misinformation

No shit.

Re:

[Anonymous Coward]

Oops, posted too soon:

It's not conversion because the original owner is using the right they retained despite the sale. Rather, it would be an example of straight up fraud. You are telling the person you are selling them one thing (a car, free and clear) but are actually selling them something different (not free and clear). This is similar to selling someone a house with an unrecorded easement you know about but not telling the buyer.

Re:

[demonlapin]

Assuming you know about it. Some do, but it is likely that most sellers do not. And TBH, I couldn't even begin to tell you how to get in touch with the people I've sold used cars to, even if I wanted to. We did cash deals after a couple of phone calls. Yeah, I wrote them a bill of sale, but you know how many James Edwards are out there?

That said, this sort of story is why we kept my wife's 2001 Tahoe instead of selling it.

Re:

[mysidia]

It's not conversion because the original owner is using the right they retained despite the sale.

No..... The original owner's App linked to the device is a Technical means of access, not a legal right to the property.

It's not like having an undisclosed Easement or Lease against the property, Because easements are actual contracts that Legally encumber
property owner's rights.

I mentioned the example: It's more like handing over the keys to a house after the closing papers are signed, But forgett

Re:

[mysidia]

Are the previous owners not breaking the law by retaining such control?

Probably not merely by still having the control. The new owner has a certain level of responsibility to ensure that possession and
control are fully transferred to themself, or raise the dispute within a reasonable time period.

For example: If you sell your house,
and happen to still have a copy of the key..... that's not illegal in itself, The generally expected thing to do is for the new homeowner to rekey their locks,
tho

Not all of them

[drinkypoo]

1G Leafs won't talk to the internets now that AT&T has shut down their 2G network. Take, that, future!

Re:

[blindseer]

I'm the kind of person that doesn't replace something that works. I kept my first cell phone for years, I finally decided I needed a new one when the battery life barely lasted the day and the antenna was falling off. I happened to be near a Radio Shack that had a big sign in the window advertising a cell phone sale so I went in. In the process of setting up my phone the carrier, Sprint, gave me a new phone for free and $50 on top. The cashier said he'd never seen anything like that before. I found out

Re:

[drinkypoo]

Is it possible to update these vehicles? Will the dealers do this for free?

It is physically possible, but I believe it actually requires a complete head unit replacement. Don't quote me on that, though. It could just be a module located in the trunk or something. They're not doing it for free. I don't think they're even making the option available.

Re:

[certsoft]

Nissan did make available a new cell phone available for the Leaf. If it was pretty new car it was free, otherwise the customer had to pay. Ford made available new cell phone modems for it's two plug-in hybrid models as well it's all electric model. There was no charge for this.

User data can also be left behind

[microcars]

My wife leased a BMW X3 that was a "demo" with 6K miles.
I found that the dealer had not bothered to wipe any info stored in the car's nav/entertainment system.
The nav had all the previous destinations stored.
The radio buttons had been pre-programmed to dial certain numbers and they were still active.
Previous users music was still loaded in memory.
I had to purge all this myself and now have to do it again when she turns in the car because I can't trust the dealer to do it.
I doubt that anyone else really pays attention to this. When I brought it up to the dealer at the first Service interval they just sort of shrugged it off.

Oh, and when we were being "introduced" to the car's tech, the dealer showed my wife how to download their "app".
This consisted of going to a BMW web page and then saving the web page to the Home Screen as a shortcut icon.
When I said that was not an "app", the tech guy just gave me a look.

Bigger problem on rental cars

[Solandri]

The last three cars I've rented had bluetooth to let you make calls over the car's speakers. But the bluetooth functionality also does other stuff like sync contacts and call logs. I could view previous renters' call logs and sometimes the names associated with the calls. The latest car I rented was new so there was no previous renter. But it would also load your text messages over bluetooth and read them back to you over the speakers. I made sure to wipe those before I returned the car, but I'm pretty

Re:

[Calydor]

TVs and the like have had a Demo functionality for being shown in stores for the past ... two decades? More?

Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

Re:Bigger problem on rental cars

[drinkypoo]

Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.

Re:

[mjwx]

Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.

A couple of issues here. The GP asked specifically about hire cars. Hire cars are not going to include any special features specific to the the hire car industries because there's no profit in it. Rental companies wont pay extra, in fact they buy the cheapest spec possible for fleet rates.

The other reason is that manufacturers dont want a single button reset because inevitably some ditsy steering wheel attendant will press it and wipe all of their settings... and then sue the dealer/manufacturer for emot

Let's keep forging ahead

[quonset]

Every week there is at least one, usually more than one, article talking about how apps or software in general are leaking information or clogging up the works in one way or another.

Despite this, all we hear from manufacturers is they're going to rush headlong into installing every privacy leaking, control-without-control, wide-open-to-the-world piece of software into everything they can lay their hands on and worse, making it mandatory this software connects to the Net.

Sheldon, from The Big Bang Theory, on

Re:

[drinkypoo]

Sheldon, from The Big Bang Theory, once remarked about hotels who don't use real keys for their doors, instead having credit cards to unlock a door.

Like a digital lock, a key lock is only as secure as its mechanism, and getting a better one tends to be expensive. Unlike a traditional lock, you can re-key a digital lock every time you rent the room.

This is why I only buy older cars

[pjbgravely]

I have already decided to never buy a car with one of those annoying screens mounted in the dashboard. Right now I have 2 2000 Fords. I will probably have to upgrade in 10 years or so but hopefully they will have aftermarket delete kits for the computer controlled HVAC by then.

IoT

[LienRag]

It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.

It's something to consider when buying proprietary IoT devices...
FTFY