Today's Hard|Forum Post
Today's Hard|Forum Post

Monday February 20, 2017

Previous Owners of Used "Smart" Cars can Still Control Them via the Cars' Apps

As we have covered countless times before, there are many security problems in the world of connected cars. Now there is a new one to worry about.

Apparently for fear of owners getting locked out of their cars by valet's or others accidentally resetting the cars connections, car makers have, by and large, omitted any user accessible option to reset connections to connected devices. While dealers usually have the ability to perform this reset, they do not appear to have this on their trade-in checklist as of yet, resulting in many cars being resold, and new owners unknowingly being spied on by previous owners. The researcher goes on to note, that this is not limited to cars, but is a common theme among IoT devices.

This will be a good thing to keep in mind, as I go shopping for a replacement car this summer.

Charles Henderson, the leader of IBM's X-Force Red security division presented on this risk at last week's RSA conference in San Francisco (you can read his essay on the subject here). His ultimate recommendation is this counsel of despair: unless you are very technologically savvy, you should only buy new cars, not used ones.

It's not just cars, either -- the problem extends to smart appliances, thermostats, and other devices. Renting a house, staying in a hotel room, or buying a house without replacing its appliances and HVAC systems also exposes you to risks from the previous users of the devices in it.