The previous owners of used "smart" cars can still control them via the cars' apps (not just cars!)

It's not just that smart cars' Android apps are sloppily designed and thus horribly insecure; they are also deliberately designed with extremely poor security choices: even if you factory-reset a car after it is sold as used, the original owner can still locate it, honk its horn, and unlock its doors.

Again, this is by design: because auto-makers are worried about lockout and hacks (for example, a valet resetting your car to lock out your app), only the original dealer can sever the car's connection with the cloud accounts of the original owner.

Charles Henderson, the leader of IBM's X-Force Red security division presented on this risk at last week's RSA conference in San Francisco (you can read his essay on the subject here). His ultimate recommendation is this counsel of despair: unless you are very technologically savvy, you should only buy new cars, not used ones.

It's not just cars, either -- the problem extends to smart appliances, thermostats, and other devices. Renting a house, staying in a hotel room, or buying a house without replacing its appliances and HVAC systems also exposes you to risks from the previous users of the devices in it.

When Henderson approached car makers about letting car owners wipe apps, companies were concerned about people not being able to do it properly.

“The explanation we were given was fear of user error,” he said. “But a pin system for reset or an authentication-required reset system would be my suggestion.”

Reselling connected devices causes problems beyond the used car lot. Selling homes with connected devices can be a security issue, too. Security cameras, smart fridges, and smart lights can all retain the previous owner’s data.

An IoT Love Story: Always Apart, Never Disconnected [Charles Henderson/Securityintelligence]

Why buying used cars could put your safety at risk [CNN]

Notable Replies

  1. "unless you are very technologically savvy, you should only buy new cars, not used ones"

    WTF? That's totally wrong. Only buy non-networked cars, not "smart" ones. Or more generally, do not buy ANY network-enabled device unless you can control its software.

  2. Luckily for me, the state-of-the-art software on my state-of-the-art vehicles is so incredibly terribly bad that it doesn't really do anything reliably.

    Seriously, it's like the stuff was coded by 12 year olds, and car apps (other than OBDC interfaces) have a shelf life of about two years before they stop working due to routine updating of the app platform not being tracked by the auto vendor.

  3. As a general rule, the more impractical RMS' advice is the more chillingly prescient it will turn out to be.

  4. companies were concerned about people not being able to do it properly.

    Dear companies,
    This is my bill of sale.
    These are my ownership papers.
    This is my finger.

  5. Seems like that could be fixed just by having some kind of 'transfer' protocol, where the seller officially transfers 'owner' permissions to the buyer (by entering the buyer's id in the app and verifying the confirmation code sent to the buyer or something), after which the buyer could do a full reset and change the lock codes.

    Too bad humans haven't invented a way to transfer ownership of property yet.

Continue the discussion

11 more replies