Disgruntled Ex-Auto Dealer Employee Hacks Computer System To Disable Over 100 Cars
from the welcome-to-the-new-world dept
Ah, the fun of the electronic age. A few years back we started hearing about tools to remotely disable a car. These were talked about as a security system to recover stolen vehicles, but also as a device to put on leased cars, in case they need to be repossessed. Of course, once you put that technology on the car, what’s to stop someone from abusing it? Turns out that a disgruntled ex-employee of a car dealership that put such a technology on its cars, was able to log into the computer system using a former co-workers account and then started methodically targeting the cars that used that system:
Ramos-Lopez?s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee?s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.
Good thing he wasn’t fired from a hospital that used internet-connected pacemakers, huh?
Filed Under: cars, computers, disabled, disgruntled employees
Comments on “Disgruntled Ex-Auto Dealer Employee Hacks Computer System To Disable Over 100 Cars”
mmmm
revenge is sweet now any one peter mandlesons IP address?
Re: mmmm
Does his car have remote connection? Now that would be fun!
Hack? Don't think so
Please… Just because he took another users login & password does not make it hacking.
He was a hack for using his own computer.
Re: Hack? Don't think so
I concur, but by the letter of the law, any access to a system with a password that you aren’t authorized to access is lumped under “hacking”. It doesn’t seem to take into account how access was gained.
But, now he can tell his friend(s) he’s going to jail for being a hacker– that’s some good geek street cred right there. 🙂
Re: Re: Hack? Don't think so
Listen, I think we can all admit that there is no such thing as “geek street cred.” Unless you’re talking about cred amongst other geeks, but even that is pretty rare.
If the people are smart...
They’ll sue the dealership.
Causing grief to customers is bad, for me is like spitting on food in a restaurant or worse.
The guy is blinded by rage and forget he is hurting others that have done nothing against or for him.
I think the guy should be forced to sit through lengthy lectures about why what he did was wrong or be forced to do community service as he did wrong society and he should make emends somehow.
Hack? What hack?
I don’t get why every site is headlining this as a hack. Nothing was disassembled or made to do something it wasn’t. It was just a disgruntled ex-employee abusing a system, a system which was doing exactly what it was designed to do.
Re: Hack? What hack?
well considering, imho, the popular use of the word “hack” is wrong in essence, this isn’t really all that surprising. I really wish they would switch to crack, since hacking doesn’t even make sense in most cases it is wrongfully applied. A hack is generally a non-harmful trick to get something done (“I hacked together spare junk for a purpose), whilst cracking is a harmful use of technology(or social engineering in this case) to cause pain or suffering or to perpetrate a criminal act.
I know plenty of hackers, but know very few crackers.
Re: Re: Hack? What hack?
“I know plenty of hackers, but know very few crackers.”
I prefer “caucasian.” Or if you must, “honkey.”
Re: Hack? What hack?
every site should be watching this because its not a safety feature, its a massive technical screw up and were all to blame.computers inside cars dont stop accidents.what they do accomplish is breaking and causing expensive repairs on brand new vehicles that need a tow to a dealership full of idiots that wont even know whats wrong.people have been driving cars without computers for a long time! can you believe that???type that in to your 600$ Idick phone.the best part about all this is young kids believe in technology like its mother nature.yea i said it…..Idick phone.
Re: Re: Hack? What hack?
Okay, grandpa. How far did you have to walk to school each day? Keep wishing for your “golden era.”
Only the Beggining
Technological advancement has its pluses and minuses. Unfortunately, stories such as these make the headlines. The Luddites then start foaming at the mouth with indignation. We need to adapt, not condemn.
The New York Times, for example, wrote a rather pointless article on how automating (remotely) the reading your electric meter raised privacy concerns. So what. The utility companies have been collecting this data for eons, the only difference is that it is automated and does have a higher “resolution” (real-time versus monthly).
Re: Only the Beggining
Thank you for highlighting this point. It’s fear-mongering.
One counter-argument I read suggested that the technology was dangerous in case someone had an emergency, and couldn’t drive the disabled car. Since when did people get the right to drive vehicles they didn’t pay for in emergency situations? That’s justifying grand theft, and it’s stupid.
The story demonstrates a problem with the dealer’s (and possibly the technology company’s, but I don’t know for certain) procedure and/or security, not an inherent problem with technology.
Re: Re: Only the Beggining
> That’s justifying grand theft, and it’s stupid.
Don’t be ridiculous.
Failing to make a payment (or making a late payment) on a vehicle loan is in no way “grand theft”. If it were, the police would be routinely arresting and sending people to prison for it. As it is, the most that can happen is a tow truck shows up and takes the car back.
It’s a simple breach of contract (a civil, not criminal matter). Nothing more.
Re: Re: Only the Beggining
That’s justifying grand theft, and it’s stupid.
Stupid is trying to claim that being late on a payment is grand theft.
There is a hack, but not in the original sense
@georgied It’s a “hack” because the term has been warped from the act of modification of an object to preform something it wasn’t designed to do to meaning doing anything with a computer that is, at the very least, arguably unethical. I can’t say I’m a fan of this current definition being a hacker in the old sense myself, but that’s where we’re at.
At face value this simply seems a case of possible social engineering since this disgruntled guy used another person’s credentials to access a system he wasn’t supposed have access to at the time. Sigh… that just shows that any system is insecure thanks to users. However they are a necessary evil. With no users there would be no reason for the system.
I’m sure I’m preaching to the choir on this one but keep your usernames and passwords yours!
Just another reason why
I love technology, heck I am a computer programmer, but I hate letting anyone other than me have access to my devices. I do not want remote access to my car or anything else. This includes letting the power companies “manage” my energy usage as the greeners would have them do.
Re: Just another reason why
I’m confused. Do you *really* not want remote access to your car, or do you not want *someone else* to have remote access to your car.
I only ask, because I *do* want the ability to control my car from a remote location. (We’ll ignore the fact that I have no real use for this feature.) I think it would be cool. 🙂
Re: Re: Just another reason why
I do want to control my stuff myself. I do not want anyone else to have the ability to do it.
See?
When I was in college, learning network administration, my professor told us on the first day..”You are Gods- and never let them forget it..”
Re: See?
I need to remember that…
My professor just told us we would all be raging alcoholics within ten years and gave us a chance to back out.
wondering why the system doesnt have some controls for this sort of thing, and heck even a way to prevent a single real, authorized employee from going rogue?
it seems a simple solution to a lot of these issues is to require two authorized users input to shutdown a car
Re: Re:
What is needed is levels of authority. Though it would still be possible to guess the credentials of someone with enough authority. But the number of people with the proper authority should be kept to a bare minimum.
we should bring back the buggy whip even if only to whip this guy till his eyes bleed
Funny
You guys know the first rule if you want to access another computer is to try an obtain a users info right? Just because he didn’t brute force crack the password doesn’t mean it’s not a hack. The end result is the same. He accessed a system he did not have access to, thus he HACKED it.
Re: Funny
1 (and 2) You don’t talk about haxxerdom!
3rd rule is have really cool 3d screen savers playing in the background so it looks like you are doing something others won’t understand. Bonus points for physics equations being in there as well.
Repo's not Hacks.
Definitely not a “hack”, but hilarious still. I read on the original Wired Magazine report of this story that the vehicles were recently featured on http://repofinder.com and some of the buyers were thinking they got ripped off buying lemons from their Credit Unions.
Lots of Questions
1) Are customers informed of this ‘feature’ when they buy the car?
2) Are these black boxes removed from cars who don’t use dealer financing?
3) Is the black box removed when the car is paid off? If not, does the dealer’s access get revoked somehow?
4) Does the car owner have access to this feature? Can he disable his car while he’s away on vacation as an extra security measure?
5) Do bad things happen if the car no longer receives signals from the network? e.g. If the owner places a Faraday cage around the thing, or Pay Technologies goes out of business and stops transmitting, what happens. Does the car need a periodic ping to stay alive?
Re: Lots of Questions
Exactly, what kind of fail safes are built into this system?
Re: Lots of Questions
I dug into the product specs to answer my own questions:
1) Yes
2) Yes
3) Ideally yes, but what happens if the dealer goes out of business?
4) Yes, for an extra fee.
5) In addition to the dealer remote control that the article highlights, it looks like the driver needs to enter a dealer provided code every few weeks to keep the car running. Sounds like bad things might happen if the dealership or pay-tech folds and can’t provide you with your next week’s DRM code.
-In addition, it has an added gps(?) feature to help dealers (and their disgruntled ex-employees) locate cars that they want to repossess. — Obvious privacy implications to consider.
Re: Lots of Questions
Pay Technologies goes out of business and stops transmitting, what happens.
You mean like what would happen if a DRM server went away? Oh, that would never happen! (snort)
Removal of Boxes
I’m wondering just how often someone good with a screwdriver and a soldering iron just removes the box from a car that he/she purchased in this manner. Seems, like it would go a long ways towards eliminating the problem. If they hooked the box up to a 12 volt power source after removing it, and left it in their garage, that would pretty much make the entire system useless.
Ubi-Dealership coming next year
I can’t wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car. If at any time you lose connectivity, your vehicle automatically shuts down. But don’t worry, the online system saves your state, so as soon as your network connection is re-established your vehicle will resume traveling in the same direction and at the same speed.
Re: Ubi-Dealership coming next year
Endless permutations!!!
You wrote: “I can’t wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car.”
Late on your car payment – car turned off.
Run a red light – car turned off.
Late on your maintenance – car turned off
Auto incident above a certain “G” force – car turned off.
In car DVD player, unauthorized content – car turned off
Ford parts installed in a Chevy – car turned off.
Lawyers – $happy$
gay
Used Trucks
What id some one purchases a Used trucks for sale and the gadget is installed to it, is it transferable
BMW Cars
This is a wonderful opinion. The things
mentioned are Great and needs to be appreciated by everyone.
BMW Cars
Car Motorcycle Parts
Thanks for sharing. I learnt a lot from your site. I would also like to share some very useful information with you all.
Car Motorcycle Parts
This is a very good site. Thankyou.
Maybe it would have been a hack if...
Perhaps it would have been a bit more of a hack if he had used pc remote access methods to sneak into the network and then make the changes.
Texas Auto Center noticed that someone had been messing around with the information and vehicles of their customers. Thanks to share what was exact story behind it. Machinery for sale
Funny Guy! Hacking into computer systems!!
This guy was in the wrong profession if he could hack into the database like that!! I was actually looking for posts about buying a new car and found this one! very funny!
If someone is looking to buy a new car here is an interesting article about the best time to buy one I just read http://www.lifedaily.com/when-is-the-best-time-to-buy-a-car/ hope you find it useful too.
A.