Turn Off That Bloody Horn!

Last week I blogged about the increased use of electronics for entertainment systems and vehicle control systems in cars, and the potential risk of malware theoretically causing those systems to be compromised.

Well, a few days ago, a news item came in that was an interesting follow on from my blog, although not directly related.

It seems that Omar Ramos-Lopez, a disgruntled former employee of a car dealership who had been fired from his job has been arrested and been charged with felony breach of computer security.

OK, so here's the deal. A car dealer in Austin, Texas has been installing a system called Webtech Plus into cars that were purchased on credit. This is done without the knowledge of the new car owner and involves installing a small box under the dash. The theory is that if the car owner defaults on their repayments, the car dealer can remotely (via a website) access the box in the car and cause the car ignition to be disabled, or cause the horn to go off. The idea behind the disabling of the ignition is that it will act as a reminder to the car owner to make the missing payments. This is seen as a preferable option to the car dealer having to get someone to repossess the car for them. Or if a repossession agent is sent to collect a car, the horn going off will reveal the location of the car if it has been hidden by the vehicle owner, for example in a garage.

Now, you could argue one way or the other about the ethics of installing such a system in vehicles without the knowledge of the vehicle owner, but that's another matter.

So what happened was that the employee wasn't happy about being fired from his job. When he was terminated, his access to the Webtech Plus web site was also terminated. But it seems this employee managed to use the username & password belonging to a co-worker at the car dealership. He then used that access to log into the application and find a list of all the cars fitted with the system that his previous employer had sold. He then went through the list alphabetically and caused the car's ignitions to be disabled and/or set the car horn off. More than one hundred cars were affected. The owners of the cars had no idea what the problem was, as they were unaware of the boxes that had been fitted to their cars. Some had to disconnect the battery in the car to stop the horn from going off.

At first the car dealer thought that there was some sort of mechanical problem with the cars. But five days later, once they changed all the passwords to access the Webtech Plus system, the problem suddenly stopped. Police then obtained access logs from the system and tracked the problems back to the ex-employee's IP address and arrested him.

So this is not quite the same scenario as I was talking about last week, but it is still an interesting situation. The boxes that were fitted to the cars provided third parties with the ability to have some remote control over the vehicle's systems via the Internet which is then passed to the vehicle via the wireless pager network. And what we have here is a breach of procedures where an authorised user's account was accessed by a work colleague who then misused that access for his own purposes.

This is demonstration of the fact that we have already entered the era where an unauthorized user (I won't call him a "hacker") has managed to instigate a DoS (Denial of Service) attack on a large number of vehicles in an act of revenge.

So unlike my blog last week where I mentioned a movie called "Christine", where a car is possessed by supernatural powers, I can see a new movie coming out called "Omar", where a bunch of cars are repossessed by rogue Internet powers!      :)
Craig Johnston
Senior Cybercrime Research Analyst

Author , ESET

Follow us

Copyright © 2018 ESET, All Rights Reserved.