Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com) 102
An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN:
Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.
Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
dealership only sales and service coming soon? or (Score:5, Insightful)
dealership only sales and service coming soon? or should end users have a way to do an full reset for free?
Re:dealership only sales and service coming soon? (Score:4, Informative)
If you miss a payment or two, they can (sometimes) use GPS to locate the vehicle, disable it remotely, and activate the horn if the vehicle is being sequestered nearby.
Re: (Score:1)
I'm in school and have worked lots of oddjobs. I was working at a dealership last year when this came up. I can't tell you the car company it was but this is all enforced dealership to dealership. Most dealerships are LAX.
Re: dealership only sales and service coming soon? (Score:1)
In GM vehicles with Onstar, you can disable such 'features' by disconnecting the Onstar module which is typically located in the trunk under the spare tire. Black box with power, gps, and cellular connections. There's really no point to having it hooked up if you don't use Onstar, unless you want secret squirrels to be able to track your driving habits. Other cars have a similar setup.
Re: (Score:2)
Re:dealership only sales and service coming soon? (Score:4, Informative)
A lot of dealerships have their own buyer financing programs separated by little more than a name. Think along the lines of a buy here pay here dressed up a bit to resemble a real bank loan.
My current car is financed that way. Due to some screw ups in my credit, I was able to get a car loan a little cheaper in interest rates that way. The finance company is owned entirely by three different dealerships but is called something different and located in another state from those dealerships. I'm not aware of any other connections those three different dealerships have other than owning a finance company that they can use to sell cars to high risk people.
Re:dealership only sales and service coming soon? (Score:4, Insightful)
Re: (Score:3)
I know how you feel.
I presently have a vehicle with driving 'assists' and it's an effing nightmare when they trigger. There should be only one driver at the wheel thank you.
Any future cars will be early 90's or older and I will do a restoration if I have to.
Re: (Score:2)
That would be an improvement over the current situation where there is less than one driver per vehicle.
Between people yakking on their phones, texting or using apps on their phones, driving is the last priority for them.
Re: (Score:2)
I agree. I commuted for a year for 1.5 hours a day one direction on the most dangerous road in the state and it was combative daily just to get to work and back without getting killed, or held hostage at 35mph ( Speed limit is 55 )
Distractions I have seen with car in motion (Score:2)
Eating -- I mean with a plate and fork -- Make-up application -- Hair Styling -- Turning Around Completely to talk -- Sex -- Urination (I think) -- Photography (Camera and Phone) I know I have seen other stuff. Feel free to add to the list.
You know, I have recently become more aware of how distracting getting audio is these days. In days gone by the car only had a radio with punch buttons for favorites (Provided one set them). Or later slotting in an 8 Track, a cassette, or CD was not too crazy (not alwa
Re: (Score:2)
Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio
Except this might interfere with servicing, when the Dealer requires wireless access to the vehicle for routine activities such as resetting warning lights, upgrading firmware to correct issues, or reading diagnostic codes.
Concern is that at some point, the dealers might make cars that literally stop working if they fail to check in to the dealership's systems for a long enough period of t
Re: (Score:2)
Re: (Score:2)
You'll short out the 'receive only' GPS technology?
Your approach to risk assessment is flawed.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: dealership only sales and service coming soon? (Score:2)
Re: (Score:3)
Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.
Not for all models. You can do it from MMI on modern cars, or on some older cars (like say the facelifted D2 A8) you can do it with a spock pinch on the cluster buttons [quattroworld.com]. Or of course, you can do it with VAG-COM [quattroworld.com] on those few vehicles which can't be reset without tools from inside the cockpit.
Software freedom for cars is necessary. (Score:3)
I don't think that will be sufficient or even a good plan for the car owner.
The correct and complete solution is simple (and it's high time /. readers start endorsing this to each other and to their Congressional representatives): complete corresponding source code for all of the car's software licensed to the car owner under a free software license. I recommend the AGPLv3 or later in order to help maintain software freedom when people provide remote services to do this job. This would allow the car owner t
another case of fundamental bad design (Score:1)
That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
That is a problem on more than 1 level.
Re: (Score:2)
That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.
That is a problem on more than 1 level.
It's not bad design from the point of view of the dealer. This basically means that all used car sales will have to go through a dealership. It will be the end of private used car sales. This was probably by design.
Re: (Score:2)
No... it doesn't mean the sales have to go through the dealership.
It does mean that the Dealership gets to charge Tax/Service fee to correct the Links apps thing.
But there are other Reasons you might need to change authorized phones other than change of ownership for the car...
For example: Your Cell phone was stolen and you can't wipe the app off, Or you got a divorce, etc, etc.
Note to self. (Score:2, Insightful)
If upon looking for a new car, the dealership says they have a mobile app for it, turn around and walk away.
As someone considering getting a 'new', used car this year or next, it's pretty apparent I'll need to weed out just who thinks connection it to any network, is a good idea.
The list should become pretty short if any at all. Worst case, I go backwards and fix up something pre-high-tech.
Re: (Score:2)
There is a real reason why Tesla's only get stolen IFF, somebody can steal your phone and multiple layers of passwords, OR just your keyfob.
All in all, Tesla is a secured system, esp with the software.
Re: (Score:2)
I must be tired, but ... Telsa cars have an IFF system?!?
Re: (Score:2, Funny)
The gpp's IFF has identified you as a friend of military aviation and a foe of logic abbreviations.
Re: (Score:2)
Of course. This is why they need autopilot and sub-three second acceleration: Once Elon flips the toggle they become kinetic weapons that will avoid destroying each other.
Re: (Score:2)
Oddly, I think that the American version is different than the European version, which I know is different from the Chinese version.
I am guessing that China required too much information so Tesla gutted a lot of things for them.
Just don't buy them. (Score:2)
This kind of shit is exactly why I wont ever buy a car that has OnStar or any other connectivity back to the manufacturer.
That includes at least all Buick, Cadillac, GMC, Chevrolet and Tesla vehicles.
Re: (Score:1)
Good luck with that.
Exactly that. If enough other people buy them - and they will - then before long there won't be any other kind of car sold.
Sure, used cars blah blah blah, but after a while they will get old, unreliable, and expensive to keep operating. It might work out for some people, but don't pretend there's not a real loss if the whole market shifts over to "internet enabled" automobiles. And washing machines. And TV sets. And toasters. And pacemakers. And microwave ovens. And vacuum cleaners. And refrigerato
Re: (Score:2)
Your phone already does all that anyways.
Re: (Score:2)
IT will also be some time before a bicycle is capable of getting most people to and from work or to the nearest store with enough groceries to come back that will last through weather and other reasons you wouldn't necessarily be wanting to peddle a bike all over the place.
They are great when you are a kid and can take an hour to get across town or happen to be shoved onto some population center so dense you cannot pass gas without someone knowing it. But for the rest of the world, a bit impractical outside
Re: Just don't buy them. (Score:2)
Re: (Score:2)
You mean taxis? Because Uber is more or less a taxi service with regular people using their cars they own as the taxi.
I'm not sure you thought that comment out enough. Or do you think we can do away with farms because food comes from the grocery stores?
Re: (Score:3, Informative)
Yeah sure they are.
https://www.washingtonpost.com... [washingtonpost.com]
https://www.theguardian.com/te... [theguardian.com]
http://www.cnbc.com/2016/09/20... [cnbc.com]
>>You lose asshole.
Compared to you? Nope. with a dick attitude like that, you lose at your whole life.
Re: (Score:3, Informative)
>>The only known crack on that which was taken care of quickly.
At least read the articles before you show your ignorance.It was 3 different attacks.
>> YOU are welcome to try and steal our Tesla.
Sorry but I don't like them. you can keep it.
>> a cocksucker like you
Thanks for continually reemphasizing your own intellectual shortcomings. Or perhaps you are compensating for something else.
Re: (Score:2)
They are the SAME crack. The fact that all 3 were from Sept 2016, had the same 3 guys and described the same attack in the same fashion, should be a clue that it was only 1 attack.
Re: (Score:2)
>> Once you are finished with high school, go back for remedial reading.
Perhaps I'll talk to you again if you ever learn to communicate like an adult.
Re: (Score:2)
Growing Pains (Score:3, Interesting)
I just purchased a used vehicle and not only was the former owners phone still programmed to the car but their garage door and childrens phones were too. I wiped it all of course. I was very surprised the dealership didn't wipe it prior to putting out for sale. The vehicle was from another time zone too somewhere in Texas and I'm on the east coast. The wrong time was what originally had me go into the menus and that's where I found the rest of their personally identifiable information. Something to keep in mind prior to selling your vehicle, wipe your dash system phone book and telemetry data.
Industry still has a lot to learn. They should hire pen testers. Park a few in the lobby of a black hat conference and let people go to town on them, let attendees earn some bounties while there. Get some feedback. It's like auto manufacturers hire programmers fresh out of high school with very little experience especially with security. Also, FFS auto manufacturers allow for firmware updates to update protocols from WEP to WPA2 or whatever comes in the future. Jesus.
Re:Growing Pains (Score:4, Interesting)
Rental companies too. I'm surprised by how many rentals I get where people have not only left their phone pairs, but have often synced their entire contact list. I'm disappointed that rental companies don't reset, never crossed my mind that dealers would be so inept.
Re: (Score:3)
It honestly never crossed my mind that dealers would be apt in this case. I fully expect that the dealer you sell it to not to bother at all with any electronic stuff, and the original dealer not to have any idea how to do a full factory reset of any data-retaining components (if that's even possible), and certainly no interest in telling you how to do it since you're not going to be a customer any more.
So much for help from automakers... (Score:4, Informative)
“If I was a consumer who was less than tech-savvy, I would probably consider buying new rather than second-hand for this reason,” he said.
What cars? What apps? (Score:2)
Got to love tesla (Score:2)
Past users do not get to do this.
This happens to dumb cars as well... (Score:5, Informative)
Re: (Score:2)
Keyless drive, too (Score:2)
I bought a used 2007 model with keyless drive in 2009. The car's menu system showed three keys assigned to the car, and it only came with two actual keyfobs.
The bigger problem with apps seems to be that you can fire up the app anywhere and do stuff with the car. An "extra" keyfob or a poor keyway design is only really a risk if you have physical access to the car.
Although I'd grant you that a weak keyway design with a limited number of unique keys is probably a real big car theft risk due to the fact that
Re: (Score:1)
Re: (Score:2)
Ditto w/ Ford Taurus 87. My Dad had said "This isn't our car" and I said "I just opened the door" and he said "oh, well then..." and I started the car. He got in and his 6+ foot frame was scrunched up because the seat was moved forward. I said "This isn't our car". In his 80+ years he had never seen anything like that. We got a good kick out of that.
Breaking the law? (Score:5, Interesting)
Are the previous owners not breaking the law by retaining such control? When you sell something then you are supposed to give up all interest and rights to it, to do otherwise is an act of conversion [wikipedia.org]
Re: (Score:2)
Re: (Score:3)
"Ignorance is no excuse in the eyes of the law".
Uh huh, but you also need mens rea unless it's a strict liability offence.
The internet is the biggest source of misinformation
No shit.
Re: (Score:1)
Oops, posted too soon:
It's not conversion because the original owner is using the right they retained despite the sale. Rather, it would be an example of straight up fraud. You are telling the person you are selling them one thing (a car, free and clear) but are actually selling them something different (not free and clear). This is similar to selling someone a house with an unrecorded easement you know about but not telling the buyer.
Re: (Score:2)
That said, this sort of story is why we kept my wife's 2001 Tahoe instead of selling it.
Re: (Score:2)
It's not conversion because the original owner is using the right they retained despite the sale.
No..... The original owner's App linked to the device is a Technical means of access, not a legal right to the property.
It's not like having an undisclosed Easement or Lease against the property, Because easements are actual contracts that Legally encumber
property owner's rights.
I mentioned the example: It's more like handing over the keys to a house after the closing papers are signed, But forgett
Re: (Score:2)
Are the previous owners not breaking the law by retaining such control?
Probably not merely by still having the control. The new owner has a certain level of responsibility to ensure that possession and
control are fully transferred to themself, or raise the dispute within a reasonable time period.
For example: If you sell your house,
and happen to still have a copy of the key..... that's not illegal in itself, The generally expected thing to do is for the new homeowner to rekey their locks,
tho
Not all of them (Score:2)
1G Leafs won't talk to the internets now that AT&T has shut down their 2G network. Take, that, future!
Re: (Score:2)
I'm the kind of person that doesn't replace something that works. I kept my first cell phone for years, I finally decided I needed a new one when the battery life barely lasted the day and the antenna was falling off. I happened to be near a Radio Shack that had a big sign in the window advertising a cell phone sale so I went in. In the process of setting up my phone the carrier, Sprint, gave me a new phone for free and $50 on top. The cashier said he'd never seen anything like that before. I found out
Re: (Score:2)
Is it possible to update these vehicles? Will the dealers do this for free?
It is physically possible, but I believe it actually requires a complete head unit replacement. Don't quote me on that, though. It could just be a module located in the trunk or something. They're not doing it for free. I don't think they're even making the option available.
Re: (Score:2)
User data can also be left behind (Score:5, Interesting)
My wife leased a BMW X3 that was a "demo" with 6K miles.
I found that the dealer had not bothered to wipe any info stored in the car's nav/entertainment system.
The nav had all the previous destinations stored.
The radio buttons had been pre-programmed to dial certain numbers and they were still active.
Previous users music was still loaded in memory.
I had to purge all this myself and now have to do it again when she turns in the car because I can't trust the dealer to do it.
I doubt that anyone else really pays attention to this. When I brought it up to the dealer at the first Service interval they just sort of shrugged it off.
Oh, and when we were being "introduced" to the car's tech, the dealer showed my wife how to download their "app".
This consisted of going to a BMW web page and then saving the web page to the Home Screen as a shortcut icon.
When I said that was not an "app", the tech guy just gave me a look.
Bigger problem on rental cars (Score:3)
Re: (Score:2)
TVs and the like have had a Demo functionality for being shown in stores for the past ... two decades? More?
Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!
Re:Bigger problem on rental cars (Score:4, Informative)
Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!
Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.
Re: (Score:2)
Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!
Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.
A couple of issues here. The GP asked specifically about hire cars. Hire cars are not going to include any special features specific to the the hire car industries because there's no profit in it. Rental companies wont pay extra, in fact they buy the cheapest spec possible for fleet rates.
The other reason is that manufacturers dont want a single button reset because inevitably some ditsy steering wheel attendant will press it and wipe all of their settings... and then sue the dealer/manufacturer for emot
Let's keep forging ahead (Score:2)
Every week there is at least one, usually more than one, article talking about how apps or software in general are leaking information or clogging up the works in one way or another.
Despite this, all we hear from manufacturers is they're going to rush headlong into installing every privacy leaking, control-without-control, wide-open-to-the-world piece of software into everything they can lay their hands on and worse, making it mandatory this software connects to the Net.
Sheldon, from The Big Bang Theory, on
Re: (Score:2)
Sheldon, from The Big Bang Theory, once remarked about hotels who don't use real keys for their doors, instead having credit cards to unlock a door.
Like a digital lock, a key lock is only as secure as its mechanism, and getting a better one tends to be expensive. Unlike a traditional lock, you can re-key a digital lock every time you rent the room.
This is why I only buy older cars (Score:2)
IoT (Score:1)
It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
It's something to consider when buying proprietary IoT devices...
FTFY