Meet Charles Henderson.
He’s a hacker — one of the good ones. As the leader of X-Force Red, IBM’s security testing group, Charles gets paid to think like a criminal.
A few years ago, Charles decided it was time to get a new car. That’s when he discovered a glaring security risk in the used car market.
Out With the Old
Due to his growing family, Charles decided it was time to get rid of his convertible and purchase a more family-friendly vehicle. So he traded in his old car at a local dealership and purchased another car from the same dealer.
Since the new vehicle Charles purchased was from the same automaker, it had the same car management app as his previous car. Of course, since Charles works in the security industry, he made sure to erase all of the personal information on the app that was connected to the vehicle he traded in.
He deleted his phone contacts, erased the garage door opener code and removed all connected devices. Furthermore, when the dealership received the keys to the vehicle, they also checked to see that Charles’ personal information had been deleted from the car.
But when Charles plugged in the data for his new car into his smartphone app, he noticed that the information from his old car still appeared on the app. At first, Charles didn’t think much of it and assumed the information would eventually be expunged.
However, days passed, and then weeks, and his information was still there. That’s when Charles realized that because he could see his old car’s information through the app, his old car’s new owner could access his personal information through the car.
Not-So-Smart Technology
Technology is constantly improving — especially when it comes to cars — so it’s no surprise that most new cars are integrated with some sort of “smart” technology. Technology that allows you to unlock the car, sound the alarm, honk the horn and even find out the exact location of your vehicle, all with your smartphone.
That’s where the danger lies. Because even after Charles deleted all of his personal information from his old car, he could still see its location and access the smart features.
Now, you may be thinking, Wouldn’t a factory reset solve the problem? Unfortunately, no. Thanks to cloud-computing technology, a factory reset only erases the data stored locally on the device itself, not the data stored in the cloud.
This got Charles thinking, and he wanted to see whether his was an isolated incident or part of a larger problem. So he and his team tested four different auto manufacturers, and guess what? They all had the same security weakness. Charles and his team never revealed which carmakers they tested, but their results clearly show this is a widespread issue.
And believe it or not, automakers do this on purpose. Because the truth is they are afraid of so-called “user errors.” For example, what if you take your car to a new mechanic and in the course of repairs, they reboot your car app, deleting all your information? Or let’s say a friend borrows your car and they sync their smartphone to it to play music, accidentally wiping out your saved data so you can no longer access your own car?
Action to Take
As technology improves and is incorporated more and more into our daily lives, we will continue to encounter these types of situations. There is a fine line between creating a simple, secure process to delete personal information permanently and making it so easy that you might unwittingly make an irreversible mistake.
Then again, you also don’t want to leave yourself open to threat of someone taking over your vehicle or finding out where you or your loved ones live.
If you purchase a used car with smart capabilities, I recommend taking the following steps. First, check the user information in the car’s database to see what (if any) devices are connected to the car. If any of the previous owner’s devices are still connected, go to the dealership and ask them to remove the devices.
Before you sell your car used, do the same thing. Go to the dealership and ask them to remove your devices from the vehicle’s system.
Remember, a factory reset of the system won’t remove the connected devices, so you need to specifically ask the dealership to remove them manually.
It’s also important to note that these types of security issues aren’t tied only to used cars. If you buy a home with smart technology that allows you to control the thermostat, lights — even your locks and security system — from your phone, there’s a good chance the home’s previous owner still has access through this same loophole.
While technology certainly makes our lives easier, understand that these advances come with security risks — and someone having remote access to your car or your home presents a HUGE safety risk. So don’t be stupid when it comes to smart technology.
Follow Us On
Good advise. After working I/T for 20 years, the amount of that information left on old devises was something I had to continually contend with. “Smart Vehicles and dwellings,” should be considered the same. Anything cloud based.
You mean that my new-purchase 1958 Chevy truck is going to give away all my secrets? The only part of cloud-basing associated with this truck is that it sat in a garage in the mountains of Idaho for almost 50 years when not being driven.
When did automakers start incorporating this type of technology in their cars? I don’t want one!
Jason: I have a question that has absolutely nothing to do with personal protection (in the normal sense). You have mentioned a few times that you don’t work Sundays because of religious reasons, and you have also published your New Years resolutions for the last few years, one of which was to go to tabernacle at least once a month. If you are so religious, why do you only ‘try’ to go to services once a month, instead of actually going every single week? Are you in the majority of meatheads who believes that the game of the week is more important than attending services?
Mark,
I do go to church every single Sunday for 3 hours. I go to the temple once per month. At the temple we do additional worshiping in addition to our weekly church meetings.
Stay Safe!
P.S. Am I missing something subtle in the Mormon religion? By tabernacle, are you referring to the local church there in Cedar City, or the world famous main one in Salt Lake City?
Jason: Sorry I questioned your dedication. You guys must take your religion seriously if you spend at least three full hours in church every week. Nice to know you are as religious as you are patriotic. I love a good old fashioned traditional American. Obviously, you are one.
Another thing that should be noted – never ever connect your smart phone to a rental car. Often rental cars these days have bluetooth connect ability. Connecting your smartphone can be a huge security risk if any of your data is transferred to the car, such as your contacts, etc.