Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Transportation Cellphones Security

Used Cars Can Still Be Controlled By Their Previous Owners' Apps (wtkr.com) 102

An IBM security researcher recently discovered something interesting about smart cars. An anonymous reader quotes CNN: Charles Henderson sold his car several years ago, but he still knows exactly where it is, and can control it from his phone... "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'" This isn't an isolated problem. Henderson tested four major auto manufacturers, and found they all have apps that allow previous owners to access them from a mobile device. At the RSA security conference in San Francisco on Friday, Henderson explained how people can still retain control of connected cars even after they resell them.

Manufacturers create apps to control smart cars -- you can use your phone to unlock the car, honk the horn and find out the exact location of your vehicle. Henderson removed his personal information from services in the car before selling it back to the dealership, but he was still able to control the car through a mobile app for years. That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.
This discussion has been archived. No new comments can be posted.

Used Cars Can Still Be Controlled By Their Previous Owners' Apps

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Sunday February 19, 2017 @11:40AM (#53895887)

    dealership only sales and service coming soon? or should end users have a way to do an full reset for free?

    • by rmdingler ( 1955220 ) on Sunday February 19, 2017 @11:51AM (#53895911) Journal
      Dealerships that tote-the-note are familiar with, and quite fond of, maintaining control of some of the apps on your vehicle.

      If you miss a payment or two, they can (sometimes) use GPS to locate the vehicle, disable it remotely, and activate the horn if the vehicle is being sequestered nearby.

      • by BeauSD ( 4870533 )
        This is actually why the FCC came down so hard on GPS and cell jammers. There was one particular lobby that had enough.

        I'm in school and have worked lots of oddjobs. I was working at a dealership last year when this came up. I can't tell you the car company it was but this is all enforced dealership to dealership. Most dealerships are LAX.
        • In GM vehicles with Onstar, you can disable such 'features' by disconnecting the Onstar module which is typically located in the trunk under the spare tire. Black box with power, gps, and cellular connections. There's really no point to having it hooked up if you don't use Onstar, unless you want secret squirrels to be able to track your driving habits. Other cars have a similar setup.

        • by trg83 ( 555416 )
          Are you serious? Couldn't possibly be because interference to GPS and cell service caused direct risk of life and economic damage? Surely it was lienholders who drove the banning of unlicensed crap radio hardware with wide-band, spurious, and unsuppressed harmonic emissions.
      • by Rick Schumann ( 4662797 ) on Sunday February 19, 2017 @01:32PM (#53896213) Journal
        I do not currently own a vehicle that has so many bells-and-whistles that there is GPS, or wireless anything in it (it's a light pickup truck with a 5-speed stick, and I like it that way), but if-and-when I have to replace it, and discover I (somehow) have no option but to get something with all those extras, Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio, of course. No one should be able to remotely control any vehicle I'm driving for any reason, ever. I'd consider that to be a gigantic security hole and a safety hazard.
        • by Hylandr ( 813770 )

          I know how you feel.

          I presently have a vehicle with driving 'assists' and it's an effing nightmare when they trigger. There should be only one driver at the wheel thank you.

          Any future cars will be early 90's or older and I will do a restoration if I have to.

          • by tlhIngan ( 30335 )

            I presently have a vehicle with driving 'assists' and it's an effing nightmare when they trigger. There should be only one driver at the wheel thank you.

            That would be an improvement over the current situation where there is less than one driver per vehicle.

            Between people yakking on their phones, texting or using apps on their phones, driving is the last priority for them.

            • by Hylandr ( 813770 )

              I agree. I commuted for a year for 1.5 hours a day one direction on the most dangerous road in the state and it was combative daily just to get to work and back without getting killed, or held hostage at 35mph ( Speed limit is 55 )

            • Eating -- I mean with a plate and fork -- Make-up application -- Hair Styling -- Turning Around Completely to talk -- Sex -- Urination (I think) -- Photography (Camera and Phone) I know I have seen other stuff. Feel free to add to the list.

              You know, I have recently become more aware of how distracting getting audio is these days. In days gone by the car only had a radio with punch buttons for favorites (Provided one set them). Or later slotting in an 8 Track, a cassette, or CD was not too crazy (not alwa

        • by mysidia ( 191772 )

          Job One will be to identify and short to Ground all the GPS and wireless antennas -- except the one for the radio

          Except this might interfere with servicing, when the Dealer requires wireless access to the vehicle for routine activities such as resetting warning lights, upgrading firmware to correct issues, or reading diagnostic codes.

          Concern is that at some point, the dealers might make cars that literally stop working if they fail to check in to the dealership's systems for a long enough period of t

          • You're implying I'd take a vehicle to a dealership for any sort of servicing. I do my own maintenance and repair, thank you very much, and of all the places you can get mechanical work done on a vehicle, a dealership is the most expensive choice 100% of the time. Besides which, if it was some warranty or recall situation I can't ignore, you're also implying I'd destroy some vital part of the vehicles' electronics in the process of disabling antennas; I am not some ham-fisted amateur with a soldering iron, I
        • by Cederic ( 9623 )

          You'll short out the 'receive only' GPS technology?

          Your approach to risk assessment is flawed.

          • My desire for privacy includes, naturally, not wanting my movements being tracked. That means disabling any sort of onboard GPS receiver, which is a trivial matter for someone like me; if it's a passive antenna, you disconnect it and short it to ground, or just disconnect it and leave it. GPS signals are so small that the receiver isn't going to get a satellite lock without a proper antenna.
            • Keeping the GPS receiver active is fine for navigation purposes (provided you have a proper built in nav-system and not that shitty OnStar turn-by-turn); you're not tracked by it directly. It's only the 4G LTE Wireless radio that needs to be disabled. That's where you have the data stream going back to OnStar, and thus to the MyChevrolet or OnStar app, with the read from your GPS for location along with the LTE triangulation to enhance location resolution. You've already stated this as part of your telem
              • Considering that the software in vehicles is not open-source you can't be sure it's not storing location data for later uploading, which is plausible considering the possible unreliability of wireless communication. Therefore disable the GPS receiver.
    • Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.
      • Do a reset for free? That's a good one. It'll move more towards dealer only ability. Like Audi, need the dealership tools to reset your oil service light.

        Not for all models. You can do it from MMI on modern cars, or on some older cars (like say the facelifted D2 A8) you can do it with a spock pinch on the cluster buttons [quattroworld.com]. Or of course, you can do it with VAG-COM [quattroworld.com] on those few vehicles which can't be reset without tools from inside the cockpit.

    • I don't think that will be sufficient or even a good plan for the car owner.

      The correct and complete solution is simple (and it's high time /. readers start endorsing this to each other and to their Congressional representatives): complete corresponding source code for all of the car's software licensed to the car owner under a free software license. I recommend the AGPLv3 or later in order to help maintain software freedom when people provide remote services to do this job. This would allow the car owner t

  • by Anonymous Coward

    That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

    That is a problem on more than 1 level.

    • That's because only the dealership that originally sold the car can see who has access and manually remove someone from the app.

      That is a problem on more than 1 level.

      It's not bad design from the point of view of the dealer. This basically means that all used car sales will have to go through a dealership. It will be the end of private used car sales. This was probably by design.

      • by mysidia ( 191772 )

        No... it doesn't mean the sales have to go through the dealership.
        It does mean that the Dealership gets to charge Tax/Service fee to correct the Links apps thing.

        But there are other Reasons you might need to change authorized phones other than change of ownership for the car...

        For example: Your Cell phone was stolen and you can't wipe the app off, Or you got a divorce, etc, etc.

  • Note to self. (Score:2, Insightful)

    by Anonymous Coward

    If upon looking for a new car, the dealership says they have a mobile app for it, turn around and walk away.

    As someone considering getting a 'new', used car this year or next, it's pretty apparent I'll need to weed out just who thinks connection it to any network, is a good idea.

    The list should become pretty short if any at all. Worst case, I go backwards and fix up something pre-high-tech.

    • nope. Not all are created equal.
      There is a real reason why Tesla's only get stolen IFF, somebody can steal your phone and multiple layers of passwords, OR just your keyfob.
      All in all, Tesla is a secured system, esp with the software.
      • by GNious ( 953874 )

        I must be tired, but ... Telsa cars have an IFF system?!?

        • Re: (Score:2, Funny)

          by Anonymous Coward

          The gpp's IFF has identified you as a friend of military aviation and a foe of logic abbreviations.

        • by Cederic ( 9623 )

          Of course. This is why they need autopilot and sub-three second acceleration: Once Elon flips the toggle they become kinetic weapons that will avoid destroying each other.

  • This kind of shit is exactly why I wont ever buy a car that has OnStar or any other connectivity back to the manufacturer.

    That includes at least all Buick, Cadillac, GMC, Chevrolet and Tesla vehicles.

  • Growing Pains (Score:3, Interesting)

    by Anonymous Coward on Sunday February 19, 2017 @11:54AM (#53895923)

    I just purchased a used vehicle and not only was the former owners phone still programmed to the car but their garage door and childrens phones were too. I wiped it all of course. I was very surprised the dealership didn't wipe it prior to putting out for sale. The vehicle was from another time zone too somewhere in Texas and I'm on the east coast. The wrong time was what originally had me go into the menus and that's where I found the rest of their personally identifiable information. Something to keep in mind prior to selling your vehicle, wipe your dash system phone book and telemetry data.

    Industry still has a lot to learn. They should hire pen testers. Park a few in the lobby of a black hat conference and let people go to town on them, let attendees earn some bounties while there. Get some feedback. It's like auto manufacturers hire programmers fresh out of high school with very little experience especially with security. Also, FFS auto manufacturers allow for firmware updates to update protocols from WEP to WPA2 or whatever comes in the future. Jesus.

    • Re:Growing Pains (Score:4, Interesting)

      by grahamsz ( 150076 ) on Sunday February 19, 2017 @12:42PM (#53896059) Homepage Journal

      Rental companies too. I'm surprised by how many rentals I get where people have not only left their phone pairs, but have often synced their entire contact list. I'm disappointed that rental companies don't reset, never crossed my mind that dealers would be so inept.

      • It honestly never crossed my mind that dealers would be apt in this case. I fully expect that the dealer you sell it to not to bother at all with any electronic stuff, and the original dealer not to have any idea how to do a full factory reset of any data-retaining components (if that's even possible), and certainly no interest in telling you how to do it since you're not going to be a customer any more.

  • by rmdingler ( 1955220 ) on Sunday February 19, 2017 @11:57AM (#53895927) Journal
    (FTA) IBM security researcher Charles Henderson:

    “If I was a consumer who was less than tech-savvy, I would probably consider buying new rather than second-hand for this reason,” he said.

  • This article was woefully lacking on information. I didn't know that this was a thing, and I still don't know what manufacturers, models, this is a thing for. Shitty article.
  • Other than Tesla's business software, their car software is majorly secured.
    Past users do not get to do this.
  • by __aaclcg7560 ( 824291 ) on Sunday February 19, 2017 @12:17PM (#53895983)
    Back in the late 1990's, I had a roommate who owned a red Toyota Corolla. After we did some Christmas shopping at a busy mall, we were confused as to where the car got parked. My roommate found a red Toyota Corolla, unlocked the doors with his key, we got in and he started the engine. We immediately knew that something was off. For example, the interior was too clean. My roommate checked the registration to discover that we were in someone else's car. We got out, locked up the car and found his car a few rows over. I read somewhere that car manufacturers make a dozen unique car keys for any particular model, making it possible for any car owner to drive off in someone else's car by accident or on purpose.
    • Toyota, I think the Camry was the worst had only a small number of different key cuts. If you owned all the keys you could get into and drive any car ( pre-chipped keys). I used to save keys from ever car we owned so if we got a free car with missing keys we might already have the right one.
    • I bought a used 2007 model with keyless drive in 2009. The car's menu system showed three keys assigned to the car, and it only came with two actual keyfobs.

      The bigger problem with apps seems to be that you can fire up the app anywhere and do stuff with the car. An "extra" keyfob or a poor keyway design is only really a risk if you have physical access to the car.

      Although I'd grant you that a weak keyway design with a limited number of unique keys is probably a real big car theft risk due to the fact that

    • I unlocked and started my Aunt's Dodge Neon once using my Mom's key from her Jeep. I did it just to see if it could be done. I put the key in and jiggled it a bit and it worked.
    • Ditto w/ Ford Taurus 87. My Dad had said "This isn't our car" and I said "I just opened the door" and he said "oh, well then..." and I started the car. He got in and his 6+ foot frame was scrunched up because the seat was moved forward. I said "This isn't our car". In his 80+ years he had never seen anything like that. We got a good kick out of that.

  • Breaking the law? (Score:5, Interesting)

    by grahammm ( 9083 ) <graham@gmurray.org.uk> on Sunday February 19, 2017 @12:20PM (#53895993)

    Are the previous owners not breaking the law by retaining such control? When you sell something then you are supposed to give up all interest and rights to it, to do otherwise is an act of conversion [wikipedia.org]

    • They want people to always buy cars new so they want to complicate resale as much as possible. If you're at risk of becoming a criminal just because you're not doing some obscure extra steps during resale then that's just perfect.
    • by mysidia ( 191772 )

      Are the previous owners not breaking the law by retaining such control?

      Probably not merely by still having the control. The new owner has a certain level of responsibility to ensure that possession and
      control are fully transferred to themself, or raise the dispute within a reasonable time period.

      For example: If you sell your house,
      and happen to still have a copy of the key..... that's not illegal in itself, The generally expected thing to do is for the new homeowner to rekey their locks,
      tho

  • 1G Leafs won't talk to the internets now that AT&T has shut down their 2G network. Take, that, future!

    • I'm the kind of person that doesn't replace something that works. I kept my first cell phone for years, I finally decided I needed a new one when the battery life barely lasted the day and the antenna was falling off. I happened to be near a Radio Shack that had a big sign in the window advertising a cell phone sale so I went in. In the process of setting up my phone the carrier, Sprint, gave me a new phone for free and $50 on top. The cashier said he'd never seen anything like that before. I found out

      • Is it possible to update these vehicles? Will the dealers do this for free?

        It is physically possible, but I believe it actually requires a complete head unit replacement. Don't quote me on that, though. It could just be a module located in the trunk or something. They're not doing it for free. I don't think they're even making the option available.

      • Nissan did make available a new cell phone available for the Leaf. If it was pretty new car it was free, otherwise the customer had to pay. Ford made available new cell phone modems for it's two plug-in hybrid models as well it's all electric model. There was no charge for this.
  • by microcars ( 708223 ) on Sunday February 19, 2017 @12:42PM (#53896057) Homepage

    My wife leased a BMW X3 that was a "demo" with 6K miles.
    I found that the dealer had not bothered to wipe any info stored in the car's nav/entertainment system.
    The nav had all the previous destinations stored.
    The radio buttons had been pre-programmed to dial certain numbers and they were still active.
    Previous users music was still loaded in memory.
    I had to purge all this myself and now have to do it again when she turns in the car because I can't trust the dealer to do it.
    I doubt that anyone else really pays attention to this. When I brought it up to the dealer at the first Service interval they just sort of shrugged it off.

    Oh, and when we were being "introduced" to the car's tech, the dealer showed my wife how to download their "app".
    This consisted of going to a BMW web page and then saving the web page to the Home Screen as a shortcut icon.
    When I said that was not an "app", the tech guy just gave me a look.

    • The last three cars I've rented had bluetooth to let you make calls over the car's speakers. But the bluetooth functionality also does other stuff like sync contacts and call logs. I could view previous renters' call logs and sometimes the names associated with the calls. The latest car I rented was new so there was no previous renter. But it would also load your text messages over bluetooth and read them back to you over the speakers. I made sure to wipe those before I returned the car, but I'm pretty
      • by Calydor ( 739835 )

        TVs and the like have had a Demo functionality for being shown in stores for the past ... two decades? More?

        Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

        • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday February 19, 2017 @03:43PM (#53896635) Homepage Journal

          Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

          Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.

          • by mjwx ( 966435 )

            Why the flying hell do cars not have a Rental setting that wipes all data with the press of a single button?!

            Actually, many of these infotainment systems do have a factory reset function. You might have to tunnel into the settings to find it, but it is often there.

            A couple of issues here. The GP asked specifically about hire cars. Hire cars are not going to include any special features specific to the the hire car industries because there's no profit in it. Rental companies wont pay extra, in fact they buy the cheapest spec possible for fleet rates.

            The other reason is that manufacturers dont want a single button reset because inevitably some ditsy steering wheel attendant will press it and wipe all of their settings... and then sue the dealer/manufacturer for emot

  • Every week there is at least one, usually more than one, article talking about how apps or software in general are leaking information or clogging up the works in one way or another.

    Despite this, all we hear from manufacturers is they're going to rush headlong into installing every privacy leaking, control-without-control, wide-open-to-the-world piece of software into everything they can lay their hands on and worse, making it mandatory this software connects to the Net.

    Sheldon, from The Big Bang Theory, on

    • Sheldon, from The Big Bang Theory, once remarked about hotels who don't use real keys for their doors, instead having credit cards to unlock a door.

      Like a digital lock, a key lock is only as secure as its mechanism, and getting a better one tends to be expensive. Unlike a traditional lock, you can re-key a digital lock every time you rent the room.

  • I have already decided to never buy a car with one of those annoying screens mounted in the dashboard. Right now I have 2 2000 Fords. I will probably have to upgrade in 10 years or so but hopefully they will have aftermarket delete kits for the computer controlled HVAC by then.
  • It's also something to consider when buying used IoT devices -- or a smart home equipped with internet-enabled devices.

    It's something to consider when buying proprietary IoT devices...
    FTFY

Truly simple systems... require infinite testing. -- Norman Augustine

Working...