Remotely start..someone else’s car!


Probably the heading for this post was tricky enough to make anyone read through the following passage. But the truth is that I was able to execute this feat, SUCCESSFULLY!

I am not from the hard-core hacker community or a penetration tester who tries his best to break an application. I just had to open the App on my mobile, tap few screens and then viola, the German engine growls underneath the hood. I can Let’s get something straight here, I DID NOT –

·      Reverse engineer the mobile app and manipulate the internal workings
·      Execute a man-in-the middle attack to snoop in the commands that the App was sending to the car
·      Send a phishing email to the actual owner and track down the user credentials
·      Hack the car company’s datacenter to gather sensitive details

Of course, the company in question is reputed enough to gain that trust with us. So how did it all happen?

I would like to introduce a new term here - “Consumer Off-Boarding” and the significance of which would eventually sink in soon. Let me list down the facts:

§  I had owned THIS car initially – Brand new, just out of the dealership.
§  Enrolled into the company’s premium service to enable the connected car features – These were offered free during the purchase
§  Enrolled, configured and used these features as judiciously as possible
§  Decided to transfer the car (albeit reluctantly) to someone known to me
§  The company handled the entire transfer process
§  Kept the App still active on my mobile device

The issue in contention is the lack of process controls that eventually morphed itself into a security issue. The severity of this issue comes from the fact that passenger safety and life is at stake. There was high level of scrutiny during the onboarding process and ensure that I am the right owner of the vehicle and in possession of the car. But during the vehicle transfer process, the necessary triggers were missing to detect and remove my access to remote control the vehicle that ceased to be mine.

What is the solution?

o   Map the owner SSN to the car’s VIN.
o   Mobile app should prevent association of more than one user to a car
o   Location from which the request is originating could be a negative use case

Comments

  1. ITGOLD SolutionsJuly 15, 2022 at 11:18 PM

    I got some valuable points through this blog. Thank you sharing this blog. Sophos Security

    ReplyDelete
  2. Trusted Business SolutionsApril 24, 2023 at 4:12 AM

    It is really a helpful blog to find some different source to add my knowledge.
    Business Telephone Systems

    ReplyDelete
  3. CushandcoApril 27, 2023 at 10:53 PM

    This blog is really helpful to deliver updated affairs over internet which is really appraisable.
    Moroccan rugs australia

    ReplyDelete

Post a Comment

Popular posts from this blog

Web Technology - Tools and Tricks

Image
Tags and WebTech Web Technologies Web technologies is a general term referring to the many languages and multimedia packages that are used in conjunction with one another, to produce dynamic web sites such as this one. Each separate technology is fairly limited on it's own, and tends to require the dual use of at least one other such technology . [ Source ] The chrome extensions such as WASP.Inspector, Wappalyzer and Ghostery provide wealth of information that happen behind the scene. Although built for analyzing the performance of a website, security professionals would rather use these tools to track the web tags, technologies and API calls. WASP Inspector -  Web Analytics Solution Profiler Wappalyzer -  Identify technology on   websites Ghostery -  Privacy and security related browser-extension View the below video to see these browser extensions in action:
Read more