It’s too easy to steal a second-hand connected car

Not too long from now it will be pretty much impossible to buy a new car which isn’t connected to the internet in some fashion.

Many modern purchasers are more swayed by the gadgety bells and whistles their car includes than its performance, and with in a world where everything seems to have to have an associated smartphone app, why should vehicles be any different?

If most new cars are going to be internet-enabled then you know what that means? Yup, second hand cars are going to be increasingly “smart” as well as vehicles are sold on after a few years.

Oh, and yes, as I’m writing on We Live Security it should go without saying that it also means security threats.

This point was brought home last week at the RSA Conference in San Francisco, where IBM’s Charles Henderson described how – over two years after he had traded it back in to the original authorised dealer – he was still able to access his old car via a smartphone app.


Despite deauthorising all associated accounts, satellite radio and garage door openers, resetting the Bluetooth, as well as surrendering all the keys at the time of sale, Henderson discovered that his mobile app never forgot his old car.

The app allowed Henderson to track the geolocation of the car, adjust its climate control, send its SatNav systems new directions and even trigger its horn.

But perhaps most alarmingly of all, the app also gave Henderson the ability to remotely unlock the vehicle.

Fortunately the IBM researcher isn’t one of the bad guys. But it is easy to imagine how a car thief or stalker would exploit such a feature.

As Henderson explained to CNN, the new car’s owners would have no clue that they were potentially at risk:

“The car is really smart, but it’s not smart enough to know who its owner is, so it’s not smart enough to know it’s been resold. There’s nothing on the dashboard that tells you ‘the following people have access to the car.'”

Internet enabled carIt turns out that although Henderson took more effort than probably most people in ensuring that he had wiped the car’s knowledge of him and associated accounts before trading it in, that wasn’t enough.

As the researcher explains, that’s because a full factory reset of the unnamed vehicle does not revoke access by the smartphone app – the information still lurks in the cloud, and can only be wiped by a factory-authorised dealer.

One has to wonder how often that occurs. Henderson’s own investigation discovered four major vehicle manufacturers were allowing previous owners to access cars from a mobile app.

This is the Internet of (insecure) Things at work again folks. In the rush to add “bells and whistles” features are not being properly thought through, and security is not uppermost in manufacturers’ minds.

Until more effort is made by vendors to integrate the internet in a safe way into the myriad of devices that surround us, we are going to hear more and more stories of security breaking down like this.

Author Graham Cluley, We Live Security

  • Nigel Tolley

    I’d test for this, but buying a new car to fiddle with (and break) gets expensive after a while.

  • John Lewis

    You don’t have to wait for a connected car for your car ownership to be at risk in the UK. DVLA uses gov.uk verify which is inherently insecure. There are risks from other departments as well Companies House (your company can be stolen). See – http://wp. me/p7MvnT-5

Follow us

Copyright © 2018 ESET, All Rights Reserved.