1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Researcher warns of the potential security risks that come with second-hand cars

By midian182 · 7 replies
Feb 21, 2017
Post New Reply
  1. In-vehicle technology is becoming increasingly advanced. With everything from gas payment systems to Alexa integration, you can now perform a multitude of tasks from your car’s dashboard. But as these systems get smarter, the potential security risks increase – especially when it comes to buying used vehicles.

    That’s according to IBM researcher Charles Henderson, who, in a speech at the RSA security conference in San Francisco, explained how he was able to control a car he sold “years” ago (without specifying the make/model) using a mobile app, which allows you to perform functions such as unlock the car, sound the horn, and even discover the exact location of the vehicle.

    "The car is really smart, but it's not smart enough to know who its owner is, so it's not smart enough to know it's been resold," Henderson told CNNTech. "There's nothing on the dashboard that tells you 'the following people have access to the car.'"

    The problem is that performing a factory reset on a car’s system doesn’t fully revoke access of former devices that were used with it. Only the authorized dealerships that originally sold the car can see which devices have access and manually remove them.

    The obvious answer would be to give owners more control and allow them to revoke device access themselves, but this method also comes with risks: someone with access to the vehicle, such as a valet, could remove the owner’s app access.

    Adding some form of owner authentication system could solve this issue, but Henderson said car companies were concerned that users wouldn’t be able to operate it. "The explanation we were given was fear of user error," he said. "But a pin system for reset or an authentication-required reset system would be my suggestion."

    Henderson warns anyone buying smart devices always to be vigilant and check who can access them using the User Management settings. When it comes to second-hand cars, ask the dealerships about the mobile apps and confirm that no previous owners still have access.

    Check out Henderson’s blog post to read more about his findings.

    Permalink to story.

     
  2. Uncle Al

    Uncle Al TS Evangelist Posts: 5,158   +3,580

    But on the good side, if offers ample opportunities to the "X" that decided to take the good car in the divorce!
     
    Reehahs likes this.
  3. Capaill

    Capaill TS Evangelist Posts: 829   +440

    What about rental cars?
    I recently helped a friend unsync his bluetooth from a rental car and when we scrolled through the list of paired devices we found about 20 people's names. If all it takes is access to an advanced vehicle's dashboard to control things like locks, brakes and the car's location, then the car industry needs a wake-up call.
     
    Reehahs and cliffordcooley like this.
  4. Cycloid Torus

    Cycloid Torus Stone age computing - click on the rock below.. Posts: 3,934   +1,163

    Not quite as bad as having your car turn you down for a date, but getting close!!
     
    Timonius likes this.
  5. Times have sure changed...I couldn't even have imagined this as a youth
     
  6. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,214   +4,886

    Then fix security where it doesn't have to be second-hand, when the car becomes second-hand. Why is this a no-brainer, yet it is a potential problem?
     
  7. Theinsanegamer

    Theinsanegamer TS Evangelist Posts: 1,517   +1,725

    "The obvious answer would be to give owners more control and allow them to revoke device access themselves, but this method also comes with risks: someone with access to the vehicle, such as a valet, could remove the owner’s app access."

    The writer is not familiar with the way local admin accounts work, I presume? Why on earth would a valet have access to a car's sync systems?

    Also, the OBVIOUS answer is to not buy a vehicle with these "smart" gadgets, or if you must, buy new only. Personally, I dont think this equipment belongs in a vehicle, and since no car maker is going to bother with 15-20 years of security updates, I want nothing to do with "smart" tech being anywhere near my car.
     
  8. Camikazi

    Camikazi TS Evangelist Posts: 978   +324

    Give me a bluetooth connection or AUX connector and leave out the rest and I am happy, don't need all the apps on a car.
     
    Reehahs likes this.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...