It’s not just that smart cars’ Android apps are sloppily designed and thus horribly insecure; they are also deliberately designed with extremely poor security choices: even if you factory-reset a car after it is sold as used, the original owner can still locate it, honk its horn, and unlock its doors.
Again, this is by design: because auto-makers are worried about lockout and hacks (for example, a valet resetting your car to lock out your app), only the original dealer can sever the car’s connection with the cloud accounts of the original owner.
Charles Henderson, the leader of IBM’s X-Force Red security division presented on this risk at last week’s RSA conference in San Francisco (you can read his essay on the subject here). His ultimate recommendation is this counsel of despair: unless you are very technologically savvy, you should only buy new cars, not used ones.
It’s not just cars, either — the problem extends to smart appliances, thermostats, and other devices. Renting a house, staying in a hotel room, or buying a house without replacing its appliances and HVAC systems also exposes you to risks from the previous users of the devices in it.
When Henderson approached car makers about letting car owners wipe apps, companies were concerned about people not being able to do it properly.
“The explanation we were given was fear of user error,” he said. “But a pin system for reset or an authentication-required reset system would be my suggestion.”
Reselling connected devices causes problems beyond the used car lot. Selling homes with connected devices can be a security issue, too. Security cameras, smart fridges, and smart lights can all retain the previous owner’s data.
An IoT Love Story: Always Apart, Never Disconnected
[Charles Henderson/Securityintelligence]