Disgruntled Ex-Auto Dealer Employee Hacks Computer System To Disable Over 100 Cars

from the welcome-to-the-new-world dept

Ah, the fun of the electronic age. A few years back we started hearing about tools to remotely disable a car. These were talked about as a security system to recover stolen vehicles, but also as a device to put on leased cars, in case they need to be repossessed. Of course, once you put that technology on the car, what's to stop someone from abusing it? Turns out that a disgruntled ex-employee of a car dealership that put such a technology on its cars, was able to log into the computer system using a former co-workers account and then started methodically targeting the cars that used that system:
Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.
Good thing he wasn't fired from a hospital that used internet-connected pacemakers, huh?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cars, computers, disabled, disgruntled employees


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    mike allen (profile), 18 Mar 2010 @ 2:34am

    mmmm

    revenge is sweet now any one peter mandlesons IP address?

    link to this | view in chronology ]

  • icon
    DevConcepts (profile), 18 Mar 2010 @ 4:26am

    Hack? Don't think so

    Please... Just because he took another users login & password does not make it hacking.

    He was a hack for using his own computer.

    link to this | view in chronology ]

    • icon
      The Infamous Joe (profile), 18 Mar 2010 @ 8:31am

      Re: Hack? Don't think so

      I concur, but by the letter of the law, any access to a system with a password that you aren't authorized to access is lumped under "hacking". It doesn't seem to take into account how access was gained.

      But, now he can tell his friend(s) he's going to jail for being a hacker-- that's some good geek street cred right there. :)

      link to this | view in chronology ]

      • icon
        Money Mike (profile), 18 Mar 2010 @ 9:34am

        Re: Re: Hack? Don't think so

        Listen, I think we can all admit that there is no such thing as "geek street cred." Unless you're talking about cred amongst other geeks, but even that is pretty rare.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Mar 2010 @ 4:43am

    If the people are smart...

    They'll sue the dealership.

    link to this | view in chronology ]

  • identicon
    :), 18 Mar 2010 @ 4:57am

    Causing grief to customers is bad, for me is like spitting on food in a restaurant or worse.

    The guy is blinded by rage and forget he is hurting others that have done nothing against or for him.

    I think the guy should be forced to sit through lengthy lectures about why what he did was wrong or be forced to do community service as he did wrong society and he should make emends somehow.

    link to this | view in chronology ]

  • identicon
    georgied, 18 Mar 2010 @ 5:05am

    Hack? What hack?

    I don't get why every site is headlining this as a hack. Nothing was disassembled or made to do something it wasn't. It was just a disgruntled ex-employee abusing a system, a system which was doing exactly what it was designed to do.

    link to this | view in chronology ]

    • icon
      senshikaze (profile), 18 Mar 2010 @ 6:41am

      Re: Hack? What hack?

      well considering, imho, the popular use of the word "hack" is wrong in essence, this isn't really all that surprising. I really wish they would switch to crack, since hacking doesn't even make sense in most cases it is wrongfully applied. A hack is generally a non-harmful trick to get something done ("I hacked together spare junk for a purpose), whilst cracking is a harmful use of technology(or social engineering in this case) to cause pain or suffering or to perpetrate a criminal act.
      I know plenty of hackers, but know very few crackers.

      link to this | view in chronology ]

      • icon
        Nastybutler77 (profile), 18 Mar 2010 @ 9:47am

        Re: Re: Hack? What hack?

        "I know plenty of hackers, but know very few crackers."

        I prefer "caucasian." Or if you must, "honkey."

        link to this | view in chronology ]

    • identicon
      dan, 18 Mar 2010 @ 10:38am

      Re: Hack? What hack?

      every site should be watching this because its not a safety feature, its a massive technical screw up and were all to blame.computers inside cars dont stop accidents.what they do accomplish is breaking and causing expensive repairs on brand new vehicles that need a tow to a dealership full of idiots that wont even know whats wrong.people have been driving cars without computers for a long time! can you believe that???type that in to your 600$ Idick phone.the best part about all this is young kids believe in technology like its mother nature.yea i said it.....Idick phone.

      link to this | view in chronology ]

      • icon
        Nastybutler77 (profile), 18 Mar 2010 @ 1:29pm

        Re: Re: Hack? What hack?

        Okay, grandpa. How far did you have to walk to school each day? Keep wishing for your "golden era."

        link to this | view in chronology ]

  • icon
    Steve R. (profile), 18 Mar 2010 @ 5:13am

    Only the Beggining

    Technological advancement has its pluses and minuses. Unfortunately, stories such as these make the headlines. The Luddites then start foaming at the mouth with indignation. We need to adapt, not condemn.

    The New York Times, for example, wrote a rather pointless article on how automating (remotely) the reading your electric meter raised privacy concerns. So what. The utility companies have been collecting this data for eons, the only difference is that it is automated and does have a higher "resolution" (real-time versus monthly).

    link to this | view in chronology ]

    • icon
      scarr (profile), 18 Mar 2010 @ 6:46am

      Re: Only the Beggining

      Thank you for highlighting this point. It's fear-mongering.

      One counter-argument I read suggested that the technology was dangerous in case someone had an emergency, and couldn't drive the disabled car. Since when did people get the right to drive vehicles they didn't pay for in emergency situations? That's justifying grand theft, and it's stupid.

      The story demonstrates a problem with the dealer's (and possibly the technology company's, but I don't know for certain) procedure and/or security, not an inherent problem with technology.

      link to this | view in chronology ]

      • icon
        btr1701 (profile), 18 Mar 2010 @ 8:27am

        Re: Re: Only the Beggining

        > That's justifying grand theft, and it's stupid.

        Don't be ridiculous.

        Failing to make a payment (or making a late payment) on a vehicle loan is in no way "grand theft". If it were, the police would be routinely arresting and sending people to prison for it. As it is, the most that can happen is a tow truck shows up and takes the car back.

        It's a simple breach of contract (a civil, not criminal matter). Nothing more.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Mar 2010 @ 10:51am

        Re: Re: Only the Beggining

        That's justifying grand theft, and it's stupid.

        Stupid is trying to claim that being late on a payment is grand theft.

        link to this | view in chronology ]

  • identicon
    Noah Body, 18 Mar 2010 @ 5:22am

    There is a hack, but not in the original sense

    @georgied It's a "hack" because the term has been warped from the act of modification of an object to preform something it wasn't designed to do to meaning doing anything with a computer that is, at the very least, arguably unethical. I can't say I'm a fan of this current definition being a hacker in the old sense myself, but that's where we're at.

    At face value this simply seems a case of possible social engineering since this disgruntled guy used another person's credentials to access a system he wasn't supposed have access to at the time. Sigh... that just shows that any system is insecure thanks to users. However they are a necessary evil. With no users there would be no reason for the system.

    I'm sure I'm preaching to the choir on this one but keep your usernames and passwords yours!

    link to this | view in chronology ]

  • identicon
    John Doe, 18 Mar 2010 @ 5:38am

    Just another reason why

    I love technology, heck I am a computer programmer, but I hate letting anyone other than me have access to my devices. I do not want remote access to my car or anything else. This includes letting the power companies "manage" my energy usage as the greeners would have them do.

    link to this | view in chronology ]

    • icon
      The Infamous Joe (profile), 18 Mar 2010 @ 8:36am

      Re: Just another reason why

      I'm confused. Do you *really* not want remote access to your car, or do you not want *someone else* to have remote access to your car.

      I only ask, because I *do* want the ability to control my car from a remote location. (We'll ignore the fact that I have no real use for this feature.) I think it would be cool. :)

      link to this | view in chronology ]

      • identicon
        John Doe, 18 Mar 2010 @ 9:09am

        Re: Re: Just another reason why

        I do want to control my stuff myself. I do not want anyone else to have the ability to do it.

        link to this | view in chronology ]

  • icon
    K Jeacoma (profile), 18 Mar 2010 @ 5:46am

    See?

    When I was in college, learning network administration, my professor told us on the first day.."You are Gods- and never let them forget it.."

    link to this | view in chronology ]

    • icon
      senshikaze (profile), 18 Mar 2010 @ 6:45am

      Re: See?

      I need to remember that...

      My professor just told us we would all be raging alcoholics within ten years and gave us a chance to back out.

      link to this | view in chronology ]

  • identicon
    zerojj, 18 Mar 2010 @ 6:43am

    wondering why the system doesnt have some controls for this sort of thing, and heck even a way to prevent a single real, authorized employee from going rogue?

    it seems a simple solution to a lot of these issues is to require two authorized users input to shutdown a car

    link to this | view in chronology ]

    • identicon
      John Doe, 18 Mar 2010 @ 9:16am

      Re:

      What is needed is levels of authority. Though it would still be possible to guess the credentials of someone with enough authority. But the number of people with the proper authority should be kept to a bare minimum.

      link to this | view in chronology ]

  • icon
    Coughing Monkey (profile), 18 Mar 2010 @ 7:21am

    we should bring back the buggy whip even if only to whip this guy till his eyes bleed

    link to this | view in chronology ]

  • identicon
    IOERROR, 18 Mar 2010 @ 7:31am

    Funny

    You guys know the first rule if you want to access another computer is to try an obtain a users info right? Just because he didn't brute force crack the password doesn't mean it's not a hack. The end result is the same. He accessed a system he did not have access to, thus he HACKED it.

    link to this | view in chronology ]

    • icon
      Ccomp5950 (profile), 18 Mar 2010 @ 8:29am

      Re: Funny

      1 (and 2) You don't talk about haxxerdom!

      3rd rule is have really cool 3d screen savers playing in the background so it looks like you are doing something others won't understand. Bonus points for physics equations being in there as well.

      link to this | view in chronology ]

  • identicon
    Mike, 18 Mar 2010 @ 8:12am

    Repo's not Hacks.

    Definitely not a "hack", but hilarious still. I read on the original Wired Magazine report of this story that the vehicles were recently featured on http://repofinder.com and some of the buyers were thinking they got ripped off buying lemons from their Credit Unions.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Mar 2010 @ 8:46am

    Lots of Questions

    1) Are customers informed of this 'feature' when they buy the car?

    2) Are these black boxes removed from cars who don't use dealer financing?

    3) Is the black box removed when the car is paid off? If not, does the dealer's access get revoked somehow?

    4) Does the car owner have access to this feature? Can he disable his car while he's away on vacation as an extra security measure?

    5) Do bad things happen if the car no longer receives signals from the network? e.g. If the owner places a Faraday cage around the thing, or Pay Technologies goes out of business and stops transmitting, what happens. Does the car need a periodic ping to stay alive?

    link to this | view in chronology ]

    • identicon
      Joe Dirt, 18 Mar 2010 @ 9:17am

      Re: Lots of Questions

      Exactly, what kind of fail safes are built into this system?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Mar 2010 @ 9:43am

      Re: Lots of Questions

      I dug into the product specs to answer my own questions:

      1) Yes

      2) Yes

      3) Ideally yes, but what happens if the dealer goes out of business?

      4) Yes, for an extra fee.

      5) In addition to the dealer remote control that the article highlights, it looks like the driver needs to enter a dealer provided code every few weeks to keep the car running. Sounds like bad things might happen if the dealership or pay-tech folds and can't provide you with your next week's DRM code.

      -In addition, it has an added gps(?) feature to help dealers (and their disgruntled ex-employees) locate cars that they want to repossess. -- Obvious privacy implications to consider.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Mar 2010 @ 10:57am

      Re: Lots of Questions

      Pay Technologies goes out of business and stops transmitting, what happens.

      You mean like what would happen if a DRM server went away? Oh, that would never happen! (snort)

      link to this | view in chronology ]

  • identicon
    A/C, 18 Mar 2010 @ 9:25am

    Removal of Boxes

    I'm wondering just how often someone good with a screwdriver and a soldering iron just removes the box from a car that he/she purchased in this manner. Seems, like it would go a long ways towards eliminating the problem. If they hooked the box up to a 12 volt power source after removing it, and left it in their garage, that would pretty much make the entire system useless.

    link to this | view in chronology ]

  • identicon
    Mayor Milobar, 18 Mar 2010 @ 10:30am

    Ubi-Dealership coming next year

    I can't wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car. If at any time you lose connectivity, your vehicle automatically shuts down. But don't worry, the online system saves your state, so as soon as your network connection is re-established your vehicle will resume traveling in the same direction and at the same speed.

    link to this | view in chronology ]

    • icon
      Steve R. (profile), 18 Mar 2010 @ 11:18am

      Re: Ubi-Dealership coming next year

      Endless permutations!!!
      You wrote: "I can't wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car."

      Late on your car payment - car turned off.
      Run a red light - car turned off.
      Late on your maintenance - car turned off
      Auto incident above a certain "G" force - car turned off.
      In car DVD player, unauthorized content - car turned off
      Ford parts installed in a Chevy - car turned off.

      Lawyers - $happy$

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2010 @ 9:12am

    gay

    link to this | view in chronology ]

  • identicon
    Kevin, 7 May 2010 @ 4:28am

    Used Trucks

    What id some one purchases a Used trucks for sale and the gadget is installed to it, is it transferable

    link to this | view in chronology ]

  • icon
    william (profile), 5 Jun 2010 @ 9:58am

    BMW Cars

    This is a wonderful opinion. The things mentioned are Great and needs to be appreciated by everyone. BMW Cars

    link to this | view in chronology ]

  • icon
    william (profile), 5 Jun 2010 @ 6:55pm

    Car Motorcycle Parts

    Thanks for sharing. I learnt a lot from your site. I would also like to share some very useful information with you all.
    Car Motorcycle Parts
    This is a very good site. Thankyou.

    link to this | view in chronology ]

  • identicon
    daniel lord, 7 Sep 2010 @ 3:33pm

    Maybe it would have been a hack if...

    Perhaps it would have been a bit more of a hack if he had used pc remote access methods to sneak into the network and then make the changes.

    link to this | view in chronology ]

  • identicon
    Jaqes, 18 Sep 2010 @ 1:50am

    Texas Auto Center noticed that someone had been messing around with the information and vehicles of their customers. Thanks to share what was exact story behind it. Machinery for sale

    link to this | view in chronology ]

  • identicon
    Anthony, 31 Jul 2013 @ 3:41am

    Funny Guy! Hacking into computer systems!!

    This guy was in the wrong profession if he could hack into the database like that!! I was actually looking for posts about buying a new car and found this one! very funny!

    If someone is looking to buy a new car here is an interesting article about the best time to buy one I just read http://www.lifedaily.com/when-is-the-best-time-to-buy-a-car/ hope you find it useful too.
    A.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.