(Image Credit: iStockPhoto/loongar)
Security researchers have revealed some IoT devices and connected cars will survive being wiped and may leak sensitive information when exchanged.
The risk posed to connected cars from skilled hackers is well-documented. Among the most high-profile hacks so far was of Jeep after researchers hacked a vehicle and took full control of it – from controlling the radio, to cutting its transmission. Preventing attacks from highly-skilled attackers is an ongoing fight, but at least few have the knowledge to replicate it.
What’s terrifying about the findings of IBM researcher Charles Henderson is that sensitive data can persist after a car is wiped and can be accessed by any individual. In a speech at the RSA Security conference, Henderson revealed that despite selling a car years ago, he still knew where it was because there was no process in place to unhook connected car apps from former owners.
Despite leading X-Force Red, IBM's security testing group, Henderson wasn't researching car security when he discovered the flaw. He simply went through a process familiar to many of having kids and trading in their convertible for a more family-orientated car. Being a security researcher, he ensured all data was deleted before handing over the keys which included clearing the phone book, removing all connected devices, and resetting the garage door opener.
The dealership went through all its own standard procedures to ensure all the physical keys were handed over and Henderson noted they also checked personal information was deleted from the vehicle (as best of their knowledge.) After receiving the new car, Henderson noticed his old car was still listed in the management app for the unnamed manufacturer’s vehicles.
“Over time, I began to realize that the car wasn’t going to expire. Days went by, then weeks, months and, eventually, years. It was obvious that whoever had purchased my old car had not enrolled it in the mobile app,” Henderson wrote on his security blog. “This is where my curiosity kicked in — were manufacturers only designing IoT functionality for the first owner because that’s where their revenue comes from?”
He details another case where his colleague in X-Force Red bought a home automation hub and even after performing a factory reset he saw a device that was not his own. After going back and forth with customer support they removed the other account, but asked whether he’d also like to delete a second user that manages his device which he was not even aware of. This is another case of an IoT company failing to consider security beyond the initial user.
During the same conference, Kaspersky published their findings on seven Android-based connected car apps. Six of the applications did not encrypt usernames and were susceptible to reverse engineering techniques or hijacking by malware. "An evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything," wrote the researchers in a paper.
An IBM Security survey revealed that consumers were least worried about protecting car navigation data (8 percent), home devices (10 percent), and connected cameras (16 percent), compared to 64 percent who cared about their mobile devices.
The findings of both Henderson and the Kaspersky team highlight the need for an improved focus on IoT security and the need for it to extend beyond the initial user. Consumers also need to be more wary about the data their vehicle contains and put more pressure on manufacturers to ensure it’s protected.
What are your thoughts on the IoT security research? Let us know in the comments.
Interested in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.