A researcher discovered that smart cars stay connected with devices long after they’re sold
IBM researcher Charles Henderson can still control a car he sold several years ago from his phone. He can see where it is at any time he chooses, which made him wonder if cars from other manufacturers had similar blind spots. He decided to find out.
Technology in the car is nothing new–various AI systems integrate into your vehicle, you can listen to music almost anyway you choose, Volvo will even deliver fuel. But the ability to access a vehicle after you’ve given up ownership is concerning.
Henderson, whose story was published originally on CNN, doesn’t name the manufacturer of his car nor the others he tested, but the specifics of his research may not be as important as the implication of his results. Each of the cars tested had the same flaws, meaning a large percentage of cars being driven today are susceptible to significant privacy invasions.
Henderson told CNN that this happens because the car is smart–just not that smart. It knows enough to interact with the owner in various ways, but it doesn’t know who the owner is and that it has been resold. There isn’t anything on the dashboard to alert you to the fact that people have access to the car, let alone those specific people’s names.
Henderson, on Friday at the RSA security conference in San Francisco explained that manufacturers create apps that control smart cars, doing things like unlocking your vehicle, honking the horn, etc. Though Henderson removed his information from services in the car before he sold it back to the dealership, he could control it through the associated mobile app for years following the sale.
Research revealed that a factory reset doesn’t even disallow this from happening. Henderson says that only authorized dealerships can see which devices have access to the car–and then they have to be manually removed.
Henderson warns that it isn’t as simple as allowing vehicle owners to revoke access to devices themselves because people with bad intentions could revoke owner access by removing their device. He suggests a system requiring owner authentication, but says that companies are hesitant about owners using a system correctly.
While most people probably aren’t interested in knowing the location of their old cars, it could be an easy way for criminals to gain access to victims. The potential for malicious behavior is high.
Henderson suggests the users of technology check “user management” functions on their devices to see who has access. What your options are after that though are to be determined.