Smart cars are very in these days. You can start it remotely, lock or unlock the doors, even find out where the car is. We also saw a smart car get taken over – turning the steering wheel 90 degrees while the car was going 60 MPH and controlling the gas and brakes. But what happens when you sell it? Conversely, what happens when you buy it?
In many cases, smart cars allow you to control the car from an app on your phone. While you can’t slam on the brakes from your phone – the researchers had to do quite a bit of work to accomplish that, you can do other things – whether you own the car or not.
A researcher at IBM’s X-Force Red gave a presentation on the subject of dumb Internet of Things devices. Not only could you control your car remotely – or more nerve wracking, someone else’s car – but recently we heard of a person who returned a web cab after setting it up to talk to his phone and a few weeks later got a message saying there was activity on the web cam – he was able to watch the new owners on his old camera.
In the case of the car, you can do a factory recent and/or delete your data, but neither of these will remove the app’s ability to control your car. Only the dealer can, apparently. Likely, this is dependent on the car model and whether the equipment is original or add-on.
In addition, the data that has been collected over the years lives in the cloud and doing a reset on the car will not wipe the data out of the cloud.
For the most part, when people are done with an Internet of Things device, they kind of forget about it. We are beginning to get trained about data on cell phones, but not used web cams, cars or refrigerators. With many of these devices having cameras, the original owner could get some “interesting” pictures.
My recommendation is that before you sell or dispose of an IoT devices other than by crushing it to bits, you need to find out what it takes to disconnect from it.
On the other side, if you are buying an used IoT device (such as a used car), you need to make sure that you understand who has control of it.
In many cases, the seller or the middle man who is acting as the seller’s agent has no clue how to remove access or maybe, whether anyone has access. All they want to do is get their money, so they will likely blow you off or belittle the problem. You are going to need to take the bull by the horns and likely not trust the first answer that you get.
This is a bit of the wild west. Time to get that lasso out and wrestle that security steer to the ground. But just like in the Old West, wrestling that steer to the ground may not be easy.
Information for this post came from Naked Security.