When all things are hackable, all things will be hacked

Even in the age of the Internet, buying a car can be an expensive, frustrating, and laborious process. It’s even worse if you are unemployed or have limited resources. Fortunately, Texas Auto Center in Austin caters to just these customers, promising a car for everyone, “no matter if you have good credit, bad credit, a bankruptcy, repossession, or no credit at all.” Of course when times are rough, people do get behind in their loan payments, and repossession rates at some dealerships run as high as 45 percent. Repossessing cars is never fun, either for those who are about to lose their primary means of transportation or for the dealers who have to send out a fleet of tow trucks in search of the car. These vehicles are often purposefully hidden by those who know they are facing repossession. When the repo man and his tow truck eventually come calling, tempers flare, and many repo men have been punched, kicked, spit upon, bitten, stabbed, and even shot to death trying to recover the dealer’s property. Surely there had to be a better approach, and Texas Auto Center thought it had found just the solution.

The dealership purchased a new technological tool from the Cleveland-based Pay Technologies that promised a far superior alternative to the confrontational repossessions of yesteryear. Pay Technologies’ product was known as the WebTeckPlus, a system that allowed car dealers to install “a small black box, about the size of a deck of cards, cleverly concealed underneath a vehicle’s dashboard.” The devices were controlled remotely via a central Web site that relayed signals over a wireless network to the cars’ black boxes. When activated, the signal allowed the dealership to “disable a car’s ignition system or trigger the horn to begin honking,” a nice, if not too subtle, way to remind owners their payment was overdue. Texas Auto Center began slowly installing the boxes in its entire fleet, and before long more than eleven hundred cars had the system in place. In charge of administering the new high-tech repo management system was Omar Ramos-Lopez, a young credit collector at the dealership with an affinity for technology.

All seemed to work well with the new system until February 2010, when suddenly a few of Texas Auto Center’s customers’ cars just stopped running and would not restart. They had no idea why. A check of company records indicated that the clients were all current with their payments. Throughout the day, the number of complaints began to increase, and by the fifth day more than a hundred owners had flooded the dealership with their irate grievances. What was going on?

Customers throughout Texas suddenly had their cars bricked, completely un-drivable and unable to start. Randomly, in the middle of the night horns began honking out of control around the city of Austin, and police were called with numerous noise complaints. When the cops arrived, they discovered the horns could not be shut off until physically disconnected from their car battery cables. Worse, these hundred customers found themselves without transportation, forced to miss work and desperately needed paychecks.

Though the incident was initially dismissed as a “systemic mechanical failure,” something much more nefarious was at play. An intruder illegally accessed Texas Auto Center’s Web-based remote vehicle immobilization system and one by one began turning off their customers’ cars throughout the city. Attempts by the dealership to turn the cars back on were stymied because the hacker had also altered the records in its database, changing vehicle identification numbers and replacing the names of legitimate customers with those of celebrities, such as the long-dead rapper Tupac Shakur and the pop star Jennifer Lopez.

Clearly something was amiss, and eventually suspicions fell upon twenty-year-old Omar Ramos-Lopez, who had been fired from the dealership in the days prior to the widespread vehicular paralysis for “not meeting company standards.” Law enforcement officials alleged Ramos-Lopez used his knowledge of his former employer’s system and the password of a former co-worker to exact revenge for his firing by disabling cars en masse throughout Austin. The police investigation showed that the former collection agent logged in to Pay Technologies’ servers in Ohio from the AT&T broadband network leading to his home. Ramos-Lopez was arrested and charged with felony breach of a computer system.

As for Texas Auto Center, it is far from unique in its decision to install remote repo-man technology in its vehicles; today there are more than two million cars with the technology. There are tens of millions of vehicles around the world that can be controlled one way or another online, with thousands more being added to the global information grid every day. With such black boxes installed in more and more automobiles, it is becoming increasingly clear that there may be more back doors in your car than you ever realized.

Image: Shutterstock