Just who’s car is it anyway?
I spent some time last week at the RSA Security conference in San Francisco. There were lots of interesting ideas floating around on many security topics, but one short presentation by Charles Henderson of IBM really got my attention.
Within a few years, it will probably be pretty much impossible to buy a new car which isn’t “smart” in some way and, as a standard feature, is connected to the internet for a lot of useful capabilities.We already see that many car buyers today are influenced by all the electronic gadgetry their car includes (just watch a few car ads on TV or online) and in a world where everything seems to have to have an associated smartphone app, why should vehicles be any different? Just another network endpoint.
If most new cars are going to be smart and internet connected or at least capable, that means second-hand cars are also going to be increasingly “smart” as vehicles are sold on after a few years (or a few months in the case of rental fleets – and even rental cars are now getting “basic” smart car features).
This point was brought home by IBM’s Henderson as he described (this is the link to his presentation on YouTube – it’s a very worthwhile 10 minute watch) how – more than two years after he had traded his connected car back into an authorized dealer for the brand – he was still able to access his old car via a smartphone app and the cloud platform that had originally connected car and phone.
Despite carefully de-authorizing all the associated accounts, the satellite radio and the garage door openers, resetting the Bluetooth pairing, and surrendering all the keys when he turned the vehicle over to the dealer, Henderson discovered that his mobile app never “forgot” his car – and that there was no way to make it do so.
The app allowed him to track the geolocation of the car, adjust its climate control, send its Satellite Navigation systems new directions and even (weirdly) trigger its horn.All somewhat amusing tricks (seemingly “demonic possession” of the car for the new owner) Perhaps most alarmingly, the app also gave him the ability to remotely unlock the vehicle – a car thief’s dream tool, and the new car’s owners would have no clue that they were potentially at risk. So cars may be really smart, but they’re not smart enough to know who the owner is (they react to the presence of the key, not the person), so they’re not smart enough to know they’ve been resold. There’s nothing on the dashboard or in the infotainment system that tells the driver ‘here’s the list of people have access to the car.’”
It turns out that although Henderson took more effort than probably most people in ensuring that he had wiped the car’s knowledge of him and associated accounts before trading it in, that wasn’t enough. That’s because a full factory reset of a vehicle does not revoke access by the smartphone app – the information is still stored in the cloud, and can only be deleted from there by a factory-authorized dealer – and by a dealer who knows that that’s what’s needed.
After hearing the presentation, I wondered how often the same thing occurs, so I checked on the cars that I sold (both private sales) last year. I also had carefully deleted all the on-car functions that “knew” about me and had demonstrated that to the new owners. I keep my cars a long time (in both cases a little over 10 years) so both were early in the “connected” era, but both did have smartphone apps that allowed some degree of remote access to the onboard systems – systems that had been updated (either by the dealer at service points or over the air by the manufacturer) several times. In both cases, I found that I could still access the cars via the cloud and, although I did not try any of the system functions the app connected to, it certainly looked as if I could have done so. In one case, both unlock and remote start were still enabled.
Once again, this is the Internet of (insecure) Things at large in the world. In the rush to add yet more cool features, longer term issues of security and accessibility – even of what “ownership” really means — are not being properly thought through, and the security lifecycle aspects are definitely is not uppermost in manufacturers’ minds – unsurprisingly. They have little incentive to follow a vehicle after the initial sale. Nor probably does the dealer. Until more effort is made by both the automotive brands and the dealer ecosystem to properly integrate both the connection (the internet) and the owner’s access to the vehicle (smart key, smartphone app) in a safe way, we’re going to hear more and more stories of security breaking down like this.
Interestingly, smartphone makers and their telecommunications partners have more or less solved this problem – you can’t get access to your old smartphone after you’ve traded it in. I’m not suggesting that a $40k car and an $800 phone are at all alike, but the idea that there can be an effective de-authorization and complete separation process has at least been established.
So if you plan to buy a “certified pre-owned” connected vehicle, better ask the dealer (or the seller if it’s a private transaction) to certify that there are no lingering traces of the vehicle from previous owners out there in the cloud. Otherwise, you too could encounter “demonic possession”.