Is Your Connected Car at Risk? Previous Owners May Still Have Access

By David Muller

GM OnStar Mobile App

As cars increasingly become enmeshed in the Internet of Things, automakers for the past few years have offered drivers the ability to locate, unlock, and start their car with a smartphone or tablet. From the comfort of your couch, you can crank up the heat in your car or honk its horn with a tap on a touchscreen. But if it’s easy for you to control your vehicle using a mobile app, that also means if you bought it used, whoever owned it before you could still have some kind of access to it. In other words, someone else could still have the ability to locate, unlock, and start your car.

Such was the case with Charles Henderson, a cybersecurity researcher at IBM, who happened to notice a major vulnerability in one automaker’s vehicle connectivity. A few years back, Henderson bought a convertible (the make and model of which he declined to name) and, as an early adopter to technology, was all too happy to connect his smartphone to the vehicle via the automaker’s mobile app. Then he had kids, so he sold the convertible in favor of a more family-friendly vehicle.

“Four Years Later, I Still Have Access”

Henderson said he removed all connected devices and wiped his personal information from the outgoing car. He reset the vehicle’s phone book and garage-door opener. The dealership, too, made sure the car was reset and that all keys were turned back in, said Henderson, who is global head of the IBM X-Force Red team of cybersecurity researchers.

Henderson’s new car was the same brand as that previous convertible, so he loaded its information into the relevant mobile app, which would allow him to see the car’s location and remotely unlock and lock it, among other things. “And I notice my previous car was still there,” Henderson said. That wasn’t such a big deal, at least not at first, because he had just sold it a few hours before. “Then hours turned into days, days turned into weeks, weeks turned into months, and now, four years later, I still have access to my old car,” Henderson said. “As a vulnerability researcher, this is a problem.”

Not that one needs to be a vulnerability researcher to see the potential for trouble. Henderson ultimately had to go to a dealership to have the vehicle removed once and for all from the app. Out of curiosity, he tried four major brands—again, declining to name them—and said they all had similar flaws.


Several Ways to Disconnect

A trip to the dealership may no longer be necessary, at least according to automakers that responded to our questions about their connected-vehicle mobile apps. They all described to us various ways the app can be disconnected when the user sells the vehicle without relying on a dealer to do so. In some cases, the terms and conditions of the agreement actually demand …read more

See full article at : caranddriver

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge