'How I could have stolen my old car using my smartphone'

Charles Henderson loved his "awesome" convertible, particularly the fact that he could start, lock and unlock it remotely via his mobile phone.
It was one of the first connected cars that synchronise wirelessly with smartphones for entertainment and work purposes.
But after he sold the vehicle, he was astonished to discover that he could still control it using the associated smartphone app.
"I could have found out where the car was, unlocked it remotely, started it and driven off with it," he said.

Mr Henderson, from Austin, Texas, is global head of X-Force Red, IBM's offensive security group, so he knows a thing or two about security. He tests companies' defences, both physical and digital.
"We try to think like a criminal without actually acting like one," he says. "It's the coolest job in the world."

So before selling his car back to the dealer he was sure to carry out a factory reset and wipe any personal data from the car's onboard computer. He didn't want the new owner getting access to his calendar, contacts and phone records.
He then bought a new connected car made by the same manufacturer and was amazed when his old car still appeared alongside his new car on the app.
"These IoT [internet of things] devices are really smart but they're not smart enough to know that you've sold them," he says.

"I informed the car dealership but they didn't know how to handle this. So we went to the car manufacturer and it took a while before they took it seriously. They found it really difficult to cut off access."

The issue of personal data being left behind in devices we rent or own poses a serious risk - hackers could get access to it and use it for blackmail purposes or to steal our money using cloned identities.

"When they rent a car, many drivers sync their phones to the onboard Bluetooth without thinking that the data will stay in the car's computer. And they won't even think about clearing it before handing it back," says Mr Henderson.
"Yet they could be revealing sensitive corporate or private data unwittingly."
Ian Fogg, principal analyst at research firm IHS Markit, says: "Your smartphone is now the hub for a range of experiences, whether that's in your connected car or your smart home.

"So it's a really critical to protect your data, and when selling it - or the devices it has synced with - to make sure all personal information is thoroughly removed from it."
Richard Stiennon is chief strategy officer for Blancco Technology Group, a company that specialises in data erasure.

He admits that deleting this data is easier said than done.
"Simply going into a car's settings and deleting your phone from the list of previously paired Bluetooth devices does not guarantee that this will overwrite the data on the car's storage device," Mr Stiennon says.

"It will only prevent casual hackers like the next renter from seeing it. A better option is to overwrite all user data or perform a factory reset 
- if the vehicle allows it 
- to ensure the data is 100% erased and cannot be recovered."

Erasing data from a connected car is more difficult to do than on laptops, removable drives and mobiles. When you think about all the different car makes and models, each with their own operating systems and apps, syncing with so many different phone types, which also have their own versions of operating systems, complexity and lack of standards is the order of the day.

Toby Poston, director of communications and external relations for the BVRLA (British Vehicle Rental and Leasing Association) says: "Each individual has the responsibility for making sure that their data is erased, but car makers could make it easier.

"Our members manage millions of hire cars and company cars and we would like to see all manufacturers introduce a 'data cleanse' button to their vehicles as well as enabling this to be done remotely."
There are also cyber-security, as well as data protection, issues.

No comments:

Use the comment box

Powered by Blogger.