Posts: 6,075 +50
In-vehicle technology is becoming increasingly advanced. With everything from gas payment systems to Alexa integration, you can now perform a multitude of tasks from your car’s dashboard. But as these systems get smarter, the potential security risks increase – especially when it comes to buying used vehicles.
That’s according to IBM researcher Charles Henderson, who, in a speech at the RSA security conference in San Francisco, explained how he was able to control a car he sold “years” ago (without specifying the make/model) using a mobile app, which allows you to perform functions such as unlock the car, sound the horn, and even discover the exact location of the vehicle.
"The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'"
The problem is that performing a factory reset on a car’s system doesn’t fully revoke access of former devices that were used with it. Only the authorized dealerships that originally sold the car can see which devices have access and manually remove them.
The obvious answer would be to give owners more control and allow them to revoke device access themselves, but this method also comes with risks: someone with access to the vehicle, such as a valet, could remove the owner’s app access.
Adding some form of owner authentication system could solve this issue, but Henderson said car companies were concerned that users wouldn’t be able to operate it. "The explanation we were given was fear of user error," he said. "But a pin system for reset or an authentication-required reset system would be my suggestion."
Henderson warns anyone buying smart devices always to be vigilant and check who can access them using the User Management settings. When it comes to second-hand cars, ask the dealerships about the mobile apps and confirm that no previous owners still have access.
Check out Henderson’s blog post to read more about his findings.