Wednesday, 15 March 2017

Is Your Connected Car at Risk? Previous Owners May Still Have Access

Leave a Comment
http://ift.tt/2msEkvK

GM OnStar Mobile App

As cars increasingly become enmeshed in the Internet of Things, automakers for the past few years have offered drivers the ability to locate, unlock, and start their car with a smartphone or tablet. From the comfort of your couch, you can crank up the heat in your car or honk its horn with a tap on a touchscreen. But if it’s easy for you to control your vehicle using a mobile app, that also means if you bought it used, whoever owned it before you could still have some kind of access to it. In other words, someone else could still have the ability to locate, unlock, and start your car.

Such was the case with Charles Henderson, a cybersecurity researcher at IBM, who happened to notice a major vulnerability in one automaker’s vehicle connectivity. A few years back, Henderson bought a convertible (the make and model of which he declined to name) and, as an early adopter to technology, was all too happy to connect his smartphone to the vehicle via the automaker’s mobile app. Then he had kids, so he sold the convertible in favor of a more family-friendly vehicle.

“Four Years Later, I Still Have Access”

Henderson said he removed all connected devices and wiped his personal information from the outgoing car. He reset the vehicle’s phone book and garage-door opener. The dealership, too, made sure the car was reset and that all keys were turned back in, said Henderson, who is global head of the IBM X-Force Red team of cybersecurity researchers.

Henderson’s new car was the same brand as that previous convertible, so he loaded its information into the relevant mobile app, which would allow him to see the car’s location and remotely unlock and lock it, among other things. “And I notice my previous car was still there,” Henderson said. That wasn’t such a big deal, at least not at first, because he had just sold it a few hours before. “Then hours turned into days, days turned into weeks, weeks turned into months, and now, four years later, I still have access to my old car,” Henderson said. “As a vulnerability researcher, this is a problem.”

Not that one needs to be a vulnerability researcher to see the potential for trouble. Henderson ultimately had to go to a dealership to have the vehicle removed once and for all from the app. Out of curiosity, he tried four major brands—again, declining to name them—and said they all had similar flaws.

connected-car-app-lead-screens-top-photo-672897-s-original

Several Ways to Disconnect

A trip to the dealership may no longer be necessary, at least according to automakers that responded to our questions about their connected-vehicle mobile apps. They all described to us various ways the app can be disconnected when the user sells the vehicle without relying on a dealer to do so. In some cases, the terms and conditions of the agreement actually demand that the seller give notice of an impending change of ownership.

Not many people read that fine print, of course, but in the case of General Motors and OnStar, for example, user terms say that if you sell or transfer your vehicle, “you must notify us by pressing the blue OnStar button” or by calling an 800 number, and “you must stop using” the connected-app services for that car or truck. “The seller does not have to go to the dealer,” GM spokesman for global connected customer experience Phil Colley told Car and Driver. “All they have to do is call.”

Volvo, in the user terms of service for its On Call app, says the transferring owner “must promptly deactivate all links between any Volvo IDs and the Volvo car,” adding that the process is described in documents included with the vehicle but that the owner is “welcome to turn to your local Volvo dealer in case you need assistance with such deactivation.”

Ford just launched remote-access capabilities through its FordPass on select vehicles in the United States last year, and untethering from the mobile app does not require a trip to the dealership, Ford smart mobility communications manager Angie Kozleski said. One way to disconnect is simply to log in to FordPass and delete the vehicle. Another way is to do a master reset of the vehicle’s Sync 3 system. “Our system does not rely on the dealer,” Kozleski told C/D.

For the Hyundai Blue Link remote-access app, the vehicle can be disconnected simply by choosing to delete the vehicle at the app’s home page or by calling an 800 number, said Miles Johnson, Hyundai’s senior manager of quality, service, and technology. Hyundai’s app also has a system in place so that only the app user can can have access to the controls by including a user ID, a password, and a personal identification number (PIN). That PIN is needed to control more critical functions, such as unlocking doors and starting the vehicle.

OnStar RemoteLink Mobile App.

What about the Unwitting Buyer?

But what about sellers who do not disconnect their vehicle from the app—because they don’t know how, they forget, or they’re simply ignorant about how intertwined these apps and cars are? And what about the buyer who doesn’t realize there is a remote-access app available and that someone else could still be using it? That gets a little dicier.

The most obvious problem is that, if someone sold the car but was still connected to it, in some cases it would be relatively easy for them to steal it, using the mobile phone as a key fob to unlock and start the vehicle. Many vehicles, however, still require the actual key fob to be present before the car or truck can be driven away. But the fact that prior owners could still be tracking the vehicle’s whereabouts would be enough to give most people pause.

In terms of making car buyers aware of the vehicle’s potential connectivity, Hyundai’s Johnson said the automaker also slaps a sticker with an 800 number on its Blue Link–equipped vehicles letting the new owners know it’s equipped and how to get it serviced. These remote services also can cost money—in the case of Blue Link, it’s $198 per year—so most owners call and disconnect when they no longer have the car or truck, Johnson said.

Both Ford’s Sync 3 and GM’s OnStar have in-car alerts to let users know that the remote-access app is active. So if someone bought a used vehicle with connectivity but had done nothing to connect it to a mobile app, when a notification appeared on the infotainment screen saying the car was connected, the owner might be curious to figure out who was connected to the car. GM’s Colley said OnStar also checks in with owners every 90 days to confirm users, in addition to using registration data to verify ownership.

Purging the Ghosts in the Machine

Otherwise, car companies put the onus on owners to remove the car from, or add it to, the mobile app. “But the problem is, a lot of owners don’t consider it a connected or smart car,” Henderson said. “They just consider it a car.”

Henderson’s advice to consumers buying a used vehicle with connected-car tech is to make sure there are no ghosts in the machine in the form of previous owners. He also said automakers should make it more intuitive for consumers to see who has access to the vehicle. “You can have the best security feature in the world, but if the user doesn’t know how to use it, it’s useless,” he said.

Let's block ads! (Why?)



from Car and Driver BlogCar and Driver Blog http://ift.tt/2mZOub7
via IFTTT

0 comments:

Post a Comment