Disgruntled Ex-Auto Dealer Employee Hacks Computer System To Disable Over 100 Cars

from the welcome-to-the-new-world dept

Thu, Mar 18th 2010 1:34am — Mike Masnick

Ah, the fun of the electronic age. A few years back we started hearing about tools to remotely disable a car. These were talked about as a security system to recover stolen vehicles, but also as a device to put on leased cars, in case they need to be repossessed. Of course, once you put that technology on the car, what's to stop someone from abusing it? Turns out that a disgruntled ex-employee of a car dealership that put such a technology on its cars, was able to log into the computer system using a former co-workers account and then started methodically targeting the cars that used that system:

Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.

Good thing he wasn't fired from a hospital that used internet-connected pacemakers, huh?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cars, computers, disabled, disgruntled employees

42 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

mike allen (profile), 18 Mar 2010 @ 2:34am

mmmm
revenge is sweet now any one peter mandlesons IP address?
[ link to this | view in chronology ]
- Anonymous Coward, 18 Mar 2010 @ 2:52am
  
  Re: mmmm
  Does his car have remote connection? Now that would be fun!
  [ link to this | view in chronology ]
DevConcepts (profile), 18 Mar 2010 @ 4:26am

Hack? Don't think so
Please... Just because he took another users login & password does not make it hacking.

He was a hack for using his own computer.
[ link to this | view in chronology ]
- The Infamous Joe (profile), 18 Mar 2010 @ 8:31am
  
  Re: Hack? Don't think so
  I concur, but by the letter of the law, any access to a system with a password that you aren't authorized to access is lumped under "hacking". It doesn't seem to take into account how access was gained.
  
  But, now he can tell his friend(s) he's going to jail for being a hacker-- that's some good geek street cred right there. :)
  [ link to this | view in chronology ]
  - Money Mike (profile), 18 Mar 2010 @ 9:34am
    
    Re: Re: Hack? Don't think so
    Listen, I think we can all admit that there is no such thing as "geek street cred." Unless you're talking about cred amongst other geeks, but even that is pretty rare.
    [ link to this | view in chronology ]
Anonymous Coward, 18 Mar 2010 @ 4:43am

If the people are smart...
They'll sue the dealership.
[ link to this | view in chronology ]
:), 18 Mar 2010 @ 4:57am

Causing grief to customers is bad, for me is like spitting on food in a restaurant or worse.

The guy is blinded by rage and forget he is hurting others that have done nothing against or for him.

I think the guy should be forced to sit through lengthy lectures about why what he did was wrong or be forced to do community service as he did wrong society and he should make emends somehow.
[ link to this | view in chronology ]
georgied, 18 Mar 2010 @ 5:05am

Hack? What hack?
I don't get why every site is headlining this as a hack. Nothing was disassembled or made to do something it wasn't. It was just a disgruntled ex-employee abusing a system, a system which was doing exactly what it was designed to do.
[ link to this | view in chronology ]
- senshikaze (profile), 18 Mar 2010 @ 6:41am
  
  Re: Hack? What hack?
  well considering, imho, the popular use of the word "hack" is wrong in essence, this isn't really all that surprising. I really wish they would switch to crack, since hacking doesn't even make sense in most cases it is wrongfully applied. A hack is generally a non-harmful trick to get something done ("I hacked together spare junk for a purpose), whilst cracking is a harmful use of technology(or social engineering in this case) to cause pain or suffering or to perpetrate a criminal act.
  I know plenty of hackers, but know very few crackers.
  [ link to this | view in chronology ]
  - Nastybutler77 (profile), 18 Mar 2010 @ 9:47am
    
    Re: Re: Hack? What hack?
    "I know plenty of hackers, but know very few crackers."
    
    I prefer "caucasian." Or if you must, "honkey."
    [ link to this | view in chronology ]
- dan, 18 Mar 2010 @ 10:38am
  
  Re: Hack? What hack?
  every site should be watching this because its not a safety feature, its a massive technical screw up and were all to blame.computers inside cars dont stop accidents.what they do accomplish is breaking and causing expensive repairs on brand new vehicles that need a tow to a dealership full of idiots that wont even know whats wrong.people have been driving cars without computers for a long time! can you believe that???type that in to your 600$ Idick phone.the best part about all this is young kids believe in technology like its mother nature.yea i said it.....Idick phone.
  [ link to this | view in chronology ]
  - Nastybutler77 (profile), 18 Mar 2010 @ 1:29pm
    
    Re: Re: Hack? What hack?
    Okay, grandpa. How far did you have to walk to school each day? Keep wishing for your "golden era."
    [ link to this | view in chronology ]
Steve R. (profile), 18 Mar 2010 @ 5:13am

Only the Beggining
Technological advancement has its pluses and minuses. Unfortunately, stories such as these make the headlines. The Luddites then start foaming at the mouth with indignation. We need to adapt, not condemn.

The New York Times, for example, wrote a rather pointless article on how automating (remotely) the reading your electric meter raised privacy concerns. So what. The utility companies have been collecting this data for eons, the only difference is that it is automated and does have a higher "resolution" (real-time versus monthly).
[ link to this | view in chronology ]
- scarr (profile), 18 Mar 2010 @ 6:46am
  
  Re: Only the Beggining
  Thank you for highlighting this point. It's fear-mongering.
  
  One counter-argument I read suggested that the technology was dangerous in case someone had an emergency, and couldn't drive the disabled car. Since when did people get the right to drive vehicles they didn't pay for in emergency situations? That's justifying grand theft, and it's stupid.
  
  The story demonstrates a problem with the dealer's (and possibly the technology company's, but I don't know for certain) procedure and/or security, not an inherent problem with technology.
  [ link to this | view in chronology ]
  - btr1701 (profile), 18 Mar 2010 @ 8:27am
    
    Re: Re: Only the Beggining
    > That's justifying grand theft, and it's stupid.
    
    Don't be ridiculous.
    
    Failing to make a payment (or making a late payment) on a vehicle loan is in no way "grand theft". If it were, the police would be routinely arresting and sending people to prison for it. As it is, the most that can happen is a tow truck shows up and takes the car back.
    
    It's a simple breach of contract (a civil, not criminal matter). Nothing more.
    [ link to this | view in chronology ]
  - Anonymous Coward, 18 Mar 2010 @ 10:51am
    
    Re: Re: Only the Beggining
    That's justifying grand theft, and it's stupid.
    
    Stupid is trying to claim that being late on a payment is grand theft.
    [ link to this | view in chronology ]
Noah Body, 18 Mar 2010 @ 5:22am

There is a hack, but not in the original sense
@georgied It's a "hack" because the term has been warped from the act of modification of an object to preform something it wasn't designed to do to meaning doing anything with a computer that is, at the very least, arguably unethical. I can't say I'm a fan of this current definition being a hacker in the old sense myself, but that's where we're at.

At face value this simply seems a case of possible social engineering since this disgruntled guy used another person's credentials to access a system he wasn't supposed have access to at the time. Sigh... that just shows that any system is insecure thanks to users. However they are a necessary evil. With no users there would be no reason for the system.

I'm sure I'm preaching to the choir on this one but keep your usernames and passwords yours!
[ link to this | view in chronology ]
John Doe, 18 Mar 2010 @ 5:38am

Just another reason why
I love technology, heck I am a computer programmer, but I hate letting anyone other than me have access to my devices. I do not want remote access to my car or anything else. This includes letting the power companies "manage" my energy usage as the greeners would have them do.
[ link to this | view in chronology ]
- The Infamous Joe (profile), 18 Mar 2010 @ 8:36am
  
  Re: Just another reason why
  I'm confused. Do you *really* not want remote access to your car, or do you not want *someone else* to have remote access to your car.
  
  I only ask, because I *do* want the ability to control my car from a remote location. (We'll ignore the fact that I have no real use for this feature.) I think it would be cool. :)
  [ link to this | view in chronology ]
  - John Doe, 18 Mar 2010 @ 9:09am
    
    Re: Re: Just another reason why
    I do want to control my stuff myself. I do not want anyone else to have the ability to do it.
    [ link to this | view in chronology ]
K Jeacoma (profile), 18 Mar 2010 @ 5:46am

See?
When I was in college, learning network administration, my professor told us on the first day.."You are Gods- and never let them forget it.."
[ link to this | view in chronology ]
- senshikaze (profile), 18 Mar 2010 @ 6:45am
  
  Re: See?
  I need to remember that...
  
  My professor just told us we would all be raging alcoholics within ten years and gave us a chance to back out.
  [ link to this | view in chronology ]
zerojj, 18 Mar 2010 @ 6:43am

wondering why the system doesnt have some controls for this sort of thing, and heck even a way to prevent a single real, authorized employee from going rogue?

it seems a simple solution to a lot of these issues is to require two authorized users input to shutdown a car
[ link to this | view in chronology ]
- John Doe, 18 Mar 2010 @ 9:16am
  
  Re:
  What is needed is levels of authority. Though it would still be possible to guess the credentials of someone with enough authority. But the number of people with the proper authority should be kept to a bare minimum.
  [ link to this | view in chronology ]
Coughing Monkey (profile), 18 Mar 2010 @ 7:21am

we should bring back the buggy whip even if only to whip this guy till his eyes bleed
[ link to this | view in chronology ]
IOERROR, 18 Mar 2010 @ 7:31am

Funny
You guys know the first rule if you want to access another computer is to try an obtain a users info right? Just because he didn't brute force crack the password doesn't mean it's not a hack. The end result is the same. He accessed a system he did not have access to, thus he HACKED it.
[ link to this | view in chronology ]
- Ccomp5950 (profile), 18 Mar 2010 @ 8:29am
  
  Re: Funny
  1 (and 2) You don't talk about haxxerdom!
  
  3rd rule is have really cool 3d screen savers playing in the background so it looks like you are doing something others won't understand. Bonus points for physics equations being in there as well.
  [ link to this | view in chronology ]
Mike, 18 Mar 2010 @ 8:12am

Repo's not Hacks.
Definitely not a "hack", but hilarious still. I read on the original Wired Magazine report of this story that the vehicles were recently featured on http://repofinder.com and some of the buyers were thinking they got ripped off buying lemons from their Credit Unions.
[ link to this | view in chronology ]
Anonymous Coward, 18 Mar 2010 @ 8:46am

Lots of Questions
1) Are customers informed of this 'feature' when they buy the car?

2) Are these black boxes removed from cars who don't use dealer financing?

3) Is the black box removed when the car is paid off? If not, does the dealer's access get revoked somehow?

4) Does the car owner have access to this feature? Can he disable his car while he's away on vacation as an extra security measure?

5) Do bad things happen if the car no longer receives signals from the network? e.g. If the owner places a Faraday cage around the thing, or Pay Technologies goes out of business and stops transmitting, what happens. Does the car need a periodic ping to stay alive?
[ link to this | view in chronology ]
- Joe Dirt, 18 Mar 2010 @ 9:17am
  
  Re: Lots of Questions
  Exactly, what kind of fail safes are built into this system?
  [ link to this | view in chronology ]
- Anonymous Coward, 18 Mar 2010 @ 9:43am
  
  Re: Lots of Questions
  I dug into the product specs to answer my own questions:
  
  1) Yes
  
  2) Yes
  
  3) Ideally yes, but what happens if the dealer goes out of business?
  
  4) Yes, for an extra fee.
  
  5) In addition to the dealer remote control that the article highlights, it looks like the driver needs to enter a dealer provided code every few weeks to keep the car running. Sounds like bad things might happen if the dealership or pay-tech folds and can't provide you with your next week's DRM code.
  
  -In addition, it has an added gps(?) feature to help dealers (and their disgruntled ex-employees) locate cars that they want to repossess. -- Obvious privacy implications to consider.
  [ link to this | view in chronology ]
- Anonymous Coward, 18 Mar 2010 @ 10:57am
  
  Re: Lots of Questions
  Pay Technologies goes out of business and stops transmitting, what happens.
  
  You mean like what would happen if a DRM server went away? Oh, that would never happen! (snort)
  [ link to this | view in chronology ]
A/C, 18 Mar 2010 @ 9:25am

Removal of Boxes
I'm wondering just how often someone good with a screwdriver and a soldering iron just removes the box from a car that he/she purchased in this manner. Seems, like it would go a long ways towards eliminating the problem. If they hooked the box up to a 12 volt power source after removing it, and left it in their garage, that would pretty much make the entire system useless.
[ link to this | view in chronology ]
Mayor Milobar, 18 Mar 2010 @ 10:30am

Ubi-Dealership coming next year
I can't wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car. If at any time you lose connectivity, your vehicle automatically shuts down. But don't worry, the online system saves your state, so as soon as your network connection is re-established your vehicle will resume traveling in the same direction and at the same speed.
[ link to this | view in chronology ]
- Steve R. (profile), 18 Mar 2010 @ 11:18am
  
  Re: Ubi-Dealership coming next year
  Endless permutations!!!
  You wrote: "I can't wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car."
  
  Late on your car payment - car turned off.
  Run a red light - car turned off.
  Late on your maintenance - car turned off
  Auto incident above a certain "G" force - car turned off.
  In car DVD player, unauthorized content - car turned off
  Ford parts installed in a Chevy - car turned off.
  
  Lawyers - $happy$
  [ link to this | view in chronology ]
Anonymous Coward, 7 Apr 2010 @ 9:12am

gay
[ link to this | view in chronology ]
Kevin, 7 May 2010 @ 4:28am

Used Trucks
What id some one purchases a Used trucks for sale and the gadget is installed to it, is it transferable
[ link to this | view in chronology ]
william (profile), 5 Jun 2010 @ 9:58am

BMW Cars
This is a wonderful opinion. The things mentioned are Great and needs to be appreciated by everyone. BMW Cars
[ link to this | view in chronology ]
william (profile), 5 Jun 2010 @ 6:55pm

Car Motorcycle Parts
Thanks for sharing. I learnt a lot from your site. I would also like to share some very useful information with you all.
Car Motorcycle Parts
This is a very good site. Thankyou.
[ link to this | view in chronology ]
daniel lord, 7 Sep 2010 @ 3:33pm

Maybe it would have been a hack if...
Perhaps it would have been a bit more of a hack if he had used pc remote access methods to sneak into the network and then make the changes.
[ link to this | view in chronology ]
Jaqes, 18 Sep 2010 @ 1:50am

Texas Auto Center noticed that someone had been messing around with the information and vehicles of their customers. Thanks to share what was exact story behind it. Machinery for sale
[ link to this | view in chronology ]
Anthony, 31 Jul 2013 @ 3:41am

Funny Guy! Hacking into computer systems!!
This guy was in the wrong profession if he could hack into the database like that!! I was actually looking for posts about buying a new car and found this one! very funny!

If someone is looking to buy a new car here is an interesting article about the best time to buy one I just read http://www.lifedaily.com/when-is-the-best-time-to-buy-a-car/ hope you find it useful too.
A.
[ link to this | view in chronology ]