By on May 25, 2016

Lexus Enform Website Graphic, Image: Lexus

My email address is [email protected], and this XKCD comic is a very real part of my life. Others confuse me for all sorts of other Wallachs out there in the world. I’ve been invited to bachelorette parties in New York, received electronic court filings from Florida, and recently I got something new: an email welcoming me to my new Lexus that invited me to take part in exclusive consumer surveys.

Of course, I didn’t recently purchase a Lexus, and there was no “hey, wrong email address” button anywhere to be found. So what did I do? I “forgot” my password, logged in to someone else’s Lexus account, and figured out who actually owned the Lexus. After all, they’d probably want to know.

dwallach-lexus

I’ve obscured the fellow’s personal information, but you can see I had his name, postal address, and phone number. Also present, the VIN for his new Lexus, as well as another he also owns. I believe I could install an app on my phone that would let me remotely mess with his car.

Now I’m the kind of security professional who wears a white hat. I’m here to solve the problem, not create chaos, so I telephoned the guy out of the blue and explained what happened. He agreed to let me write this article so long as I protected his privacy.

Upon hearing this revelation, my dopplegänger was more annoyed than anything, especially since Lexus already has his proper contact information — presumably from he bought a Lexus the previous time. The fat-fingered dealership staff managed to change his email for both cars at once. Mr. D. didn’t tell me his real email address, but it’s apparently nothing like mine, so this isn’t just an oops. The underpaid, data-entry clerk probably just didn’t care and made one up.

What are the consequences of this screw-up? For Mr. D., he now gets to make an irate phone call to the Lexus customer support line.

But what if I were malicious rather than helpful?

Lexus Enform has all sorts of services on its website, some of which seem to allow me to compromise Mr. D.’s privacy, and others (that app thing) which might even allow me to remotely unlock and/or start the car (depending on specific features available on specific cars, yadda yadda).

This issue certainly goes well beyond Lexus. Plenty of car manufacturers are getting into the “connected car services” arena — it’s what the millennials want! — leaving plenty of opportunity for a screwed-up data entry at a car dealership to lead to downstream problems. Those problems could include theft (as above) or just a consumer unable to make their “connected services” work properly. (“I tried installing the app, but it doesn’t work!”) That will, in turn, lead to more irate calls to dealerships, and, no doubt, damage the J.D. Power satisfaction data.

As it turns out, making any two gadgets play nicely together is a difficult problem. If you’ve installed any “Internet of Things” gadgets in your house, then you’ve dealt with this first-hand. For example, Nest Protect fire alarms make you scan a QR code printed on the side of the device, while Ring video doorbells make you press a special orange “setup” button on its back. Then you get to re-enter your WiFi password so it can be transferred over. (Yes, your phone already knows your WiFi password, but apps aren’t allowed to ask for it due to security reasons, so you get to type it a second time.) Even something that should be straightforward, like pairing your phone’s Bluetooth with a rental car, is often an exercise in frustration.

Car manufacturers want to offer a seamless new car experience, but they’re moving into a territory where they need to thread the needle between usability and security. They want your email address for a variety of purposes, both to market new products and services to you, and to “connect” your car to your corresponding online account. With this, they’re hoping to differentiate their cars with cool new features, such as Mercedes’s ability to send a message to Nest that you’re arriving at your house, so it can turn on your air conditioning before you walk in the door. Treat that as a preview of coming attractions. If you sell me your old Mercedes, and I drive by your house, will it still start up your air conditioning?

From experts I’ve spoken to, car manufacturers are now taking security threats seriously. GM, for example, finally fixed the security vulnerabilities in its OnStar system that allowed anybody to remotely start and steal any of its cars. (I wrote about this for TTAC in 2011.) Automotive manufacturers, for the most part, now recognize that all those shiny electronic goodness they’re adding to their “connected cars” create a variety of risks for car owners. The process of hardening software systems is ultimately going to impact everything about what it means to buy and operate a car. For example, when I bought my Tesla from a friend, we went through a complicated dance to convince Tesla that it was now mine, so I’d then be able to hook the phone app to my car. That dance will be unique to every marque, but they’ll all need to have it. Everybody dance now!

Prediction: in the next 5 years, we’ll see a class action lawsuit and/or government regulatory action against a car manufacturer whose poor computer security practices enable the bulk theft of its cars. This isn’t exactly the same sort of problem as having emissions “defeat devices,” but it’s important to make sure that fat-fingered or lazy dealership employees are not the weak link in the chain of security features on our cars.

Get the latest TTAC e-Newsletter!

Recommended

58 Comments on “Stupidity, Laziness Are Connected Car Security’s Weak Links...”


  • avatar
    CoreyDL

    The -most- stupid and lazy thing is owning a Lexus while simultaneously not having figured out how to wear a blazer.

    • 0 avatar
      Macca

      Seriously, the bottom button? Seems like someone involved would know better. And I am serious (hope you were, too).

      • 0 avatar
        CoreyDL

        Yes, serious!

        My brother’s wedding few weeks ago – all the dudes in the wedding buttoned all their vest buttons, and both jacket buttons.

        I walk in for family picture time. “That is wrong, lowest button unbuttoned on both.”

        My aunt (emphatically) “That looks stupid! It looks much better with them all buttoned.”

        Me *shrug* “Suit yourself, it IS wrong.”

        • 0 avatar
          S2k Chris

          “Always – Sometimes – Never”. It’s science.

          • 0 avatar
            Coopdeville

            I thought it was “sometimes, always, never” if referring to 3 button.

            And @Corey: I am disappoint. I had you pegged as a defyer of convention.

          • 0 avatar
            CoreyDL

            I defy convention in other ways [namely of not being “of” my generation], but not in suiting.

          • 0 avatar
            28-Cars-Later

            I don’t like that three buttoned sh*t, and can’t fathom four. Why not just wear a cape mofos?

          • 0 avatar
            CoreyDL

            Three-button is for shiny suit Baptists going to church only. Or pimps.

        • 0 avatar
          Sigivald

          I want to be fabulously wealthy and famous so I can undo Edward VII’s damage and bring back suits tailored for full buttoning.

          Just because one King of England was fat and couldn’t button his suits up all the way a century ago doesn’t mean we should be cursed with useless dangling buttons until the end of time.

          Ah, well.

          • 0 avatar
            CoreyDL

            You want the leggings back as well? Those were quite fitted! And those heeled shoes.

          • 0 avatar
            DrSandman

            Aye, you are correct. I will not yield to the prevailing sloppiness than is unbuttoned buttons because of some fat king some 100 years ago. We liberty-lovers went to war and stuff to not have to listen to some fat king’s stupid edicts about which buttons to button.

            Besides, those of us still with washboard-abs in our 40’s deserve to show them off with a properly fitting and tailored suit, not a blazer that’s leftover from some beer-stained college formal.

    • 0 avatar
      turf3

      There’s also the fact that wearing a coat that’s too small makes you look like you haven’t bought new clothes since high school.

  • avatar
    CoreyDL

    I’ve got a few emails for some guy named Chris who lives in WA. I got invited (by Jeremy) to a randy houseboat party there. My inclination was to mess with the sender of the email intensely, but I didn’t. Jeremy sounded like a wank.

    “Hey Chris,

    Scott said you were interested in joining in our houseboat adventure. It’s a bachelor party for my little brother, should be good times. I can provide more info if you want but the basics are it’s from June 27-30, Friday-Monday it’s $367 per person with $36 due back from the security deposit. The boat is on Lake Roosevelt, there will be 14 of us and it should be pure debauchery. Check out the link to the boat, it’s pretty sick. Let me know if you have any questions about anything.

    Send check to:
    Jeremy D——
    2### F——-
    Renton, WA 98059”

    Jeremy’s an engineer, so he should probably stop talking bro like that.

    • 0 avatar
      28-Cars-Later

      No mention of strippers, what sort of bachelor party consists of guys on a boat?

    • 0 avatar
      tresmonos

      heyyy, what’s wrong with talking bro?

      Also, ‘pure debauchery’ on a large boat is pretty sick. If you haven’t partaken, I highly recommend that you do.

      • 0 avatar
        28-Cars-Later

        I’m not sure what “pure debauchery” consists of on a boat, but I have had my share of drinks on one. I just feel a bachelor party needs to include strippers and/or hookers, or failing that, available drunk women.

        • 0 avatar
          tresmonos

          We had a bachelor party on the lake of the ozarks last year. When we had moored to drink a few beers and a mostly destroyed rental cabin cruiser pulled up and tied off next to us with two strippers that had ‘performed’ the previous night. They had decided to just hang out and party with the customers the next day.

          I felt nothing but pure joy for being held witness to ‘pure debauchery’ that day.

      • 0 avatar
        CoreyDL

        I suspect I am only ready for 75% debauchery on a boat. But 14 drunk dudes on ’80s boat with five beds sounds super awesome for three days.

    • 0 avatar
      Scoutdude

      That is a pretty spending neighborhood Jeremey is renting it. I used to live in Renton and still own a couple of properties not that far from that address so I know that naming and numbering scheme and it didn’t take long to narrow it down to 2 cul-de-sacs where he could potentially live based on that partial address.

      • 0 avatar
        CoreyDL

        Haha, nice. I looked at the address when I initially got the email, thought it was quite ugly.

        He also sent this “debauchery” email from his work email account – so I have his title and employer as well. Not smart, beyond generally sending personal emails from work accounts.

        House last sold in 07, so yeah I’d say renting. It’s very generic inside since the listing photos are still up. It is indeed a cul-de-sac. Little short one. Houses there are shockingly expensive for what you’re getting, jeebus.

        • 0 avatar
          Scoutdude

          Yeah prices in the greater Seattle area are pretty high and that particular neighborhood got a good boost from the houses that were built around it later.

  • avatar
    MrGreenMan

    It’s one of those problems of the age that there’s no real incentive to solve. The per-incident cost is largely random and small whereas fixing it would be not small and not random.

    I’ve had a guy for six months using my email address – first name, middle initial, last name – and I still don’t know who he really is. He has a much more interesting life than me. Just completed a tour of duty in the military. Looking for work in the Texarkana region. Converted his time in service to Uncle Sam into college credit from his officer leadership program. Apparently had a C5 Corvette and wrecked that mother. His kid apparently really wants to play some games but can’t get parental approval. All the phone company emails never have his actual phone number on them, and, if I try to contact them, the nice man from another country explains I have to prove I’m him before they’ll listen to how I’m not him, and he does this for my security.

    • 0 avatar
      heavy handle

      “It’s one of those problems of the age that there’s no real incentive to solve.”

      It’s a problem that’s been solved, but some companies think they can save a few bucks by re-inventing the wheel. I remember reading the details of one of the many Sony hacks and thinking “how come they didn’t get hacked sooner?” They probably did get hacked sooner, but the first 5,000 people to get in didn’t brag about it.

    • 0 avatar
      Sigivald

      “the nice man from another country explains I have to prove I’m him before they’ll listen to how I’m not him, and he does this for my security.”

      Ah, policy.

      “Yeah, look. How about you guys who have his phone number CALL HIM and tell him about this, yourselves?”

  • avatar
    RHD

    The tech thing is a sort of we-have-to-do-it-because-the-competition-is-doing-it sort of situation.
    The more tech is added to cars (and doorbells, and refrigerators, and picture frames), the more room there is for viruses, glitches, frustration and hacking. Clever teenagers will doorbell-ditch the neighbors from their smartphones.
    It’s made to do things we already know how to do, such as remember to buy a gallon of milk or turn on the A/C.
    Really, we don’t need any of this crap.

    • 0 avatar
      turf3

      I wish I could buy a nice car with leather seats and other amenities, that just opens and starts with a freaking key. I have a car that unlocks itself if I walk up to it and touch a certain spot on the door handle. So if I am not sure whether I locked it, I can no longer just walk up to the car and tug on the handle, because it unlocks itself during the act of checking whether I locked it.

      I don’t want my car to have an iota more intelligence than it needs to run the emission, ignition, and fuel mixture controls.

      I think there ought to be a “delete infotainment and unconvenience boondoggles” option. I would pay extra for it.

      The whole concept of automating things like home thermostats boggles the mind. Is it that people are so stupid that they don’t know whether they’re hot or cold, or is it that they’re so lazy they can’t walk across the room and rotate the little dial toward either “hotter” or “colder”?

      If I come home and it’s hot, I will use nature’s own air-conditioning system until the house’s AC system gets going. It’s called “sweat”.

      If you run out of one particular kind of food, you don’t need a “connected fridge” to tell you. Either run down to the store to get some, write it on the list for this week’s trip, or eat something else. If you have the money to have a “smart refrigerator”, I can guarantee you have enough uneaten food in your kitchen to live on for days if not weeks.

    • 0 avatar
      Kyree S. Williams

      We’ve crossed the threshold between useful things (like ABS, keyless entry and side-curtain airbags) to gadgets and gee-whiz features; you’re right. However, I don’t see that trend coming to a close anytime soon, chiefly because—like you said—if you don’t do it, your competition will.

      That said, these aren’t clever exploits. A lot of these car-hacking debacles are due to basic web security no-nos that industry professionals outside the automotive community would never commit. And that’s bad because gaining control of or access to someone’s car is quite different from getting into his XTube account.

      In a way, that makes sense. Up to now, automakers’ security measures have mostly consisted of “hackers can’t do anything because they can’t access the physical OBD-II port inside the car.” But now these cars have modules connecting directly to the Internet, where anything goes. And those Internet-enabled modules are plugged into the car’s CANBUS. Security should be paramount.

      • 0 avatar
        redav

        “these aren’t clever exploits. A lot of these car-hacking debacles are due to basic web security no-nos that industry professionals outside the automotive community would never commit.”

        No matter how much Ford et al think they are tech companies, they aren’t. Years ago when Ford was getting (rightly) crucified for the myriad of deficiencies in MFT, I had a conversation with a Ford engineer who genuinely said all the problems were because consumers were too stupid to use it and they have no idea how hard it is to program infotainment systems.

        That’s straight-up incompetence, and it’s no wonder those folks produced garbage.

  • avatar
    qfrog

    I did something similar because some guy with my name in another state used my email addy for his utility company account. I wanted to be sure it wasn’t identity theft so I took control of the website account and then called the utility provider and told them the password and asked if my SSN was being used for the account. I asked them to contact their customer and ascertain his correct email address.

    This is only the latest annoyance. I’ve had to deal with plenty of emails which are sent to a long list of folks and I just happen to be on the list. Those are usually religious based.

    Last year I was receiving the service department emails for a customer at an Audi dealership 50 miles from where I live. I contacted their service dept but they did nothing about it. I replied to somebody higher up in sales and he did nothing about it.

    Having a respectable @gmail.com email address can be a nuisance.

    • 0 avatar
      Kyree S. Williams

      Fortunately, mine is on my own domain and I have an unusual name, so I’ve never had that issue. But I can see how it would be a problem if you have an email address that might easily be guessed.

      • 0 avatar
        sgeffe

        I can’t imagine what someone named “John Smith” would do!

        First, try to make up an E-Mail Address on ANY provider!

        Then, once that’s done, endless “wrong numbers” such as described!

        Unlikely I’ll ever have that issue, and I feel for those who do!

  • avatar
    bricoler1946

    Hey Corey,give him a break,maybe it was cold out.

    • 0 avatar
      CoreyDL

      There are many suitable overcoats in varying thickness available for the choosing.

      • 0 avatar
        Drzhivago138

        Apparently, it’s considered kinda out-there but still “in line” with the rules to put a button on the reverse of one lapel, so it can be folded over and buttoned into the hole on the other lapel, for those rare times when it’s too blustery for just a jacket, but not cold enough for an overcoat. I did this with an old jacket once, and although the end result looked pretty wonky (kinda Mao jacket-esque), I was warmer.

        • 0 avatar
          CoreyDL

          I don’t think I’ve seen that sort of button arrangement before. If said button made the lapel not lie flat, I would end up purchasing a different jacket.

  • avatar
    SlowMyke

    I’d be careful in a situation like this. I think the author should have called Lexus directly instead of the owner of the cars. In this litigious day and age, he contacted someone and admitted to intently hacking into his account to gain access to personal information. The real Lexus owner seems to have taken the situation kindly, but he could have not. He could be sue-happy. Maybe he just had his car or home broken into. Or maybe he could have misread someone cold-calling him saying “hey I changed your password, got your personal information, and could really mess things up for you, but I swear I just want to write a blog about it.”

    I’m no lawyer myself, but that seems like an awful lot of liability to open yourself up to just to make a point. Especially when you could have informed Lexus of their error and not directly identified yourself to the individual you hacked.

    • 0 avatar

      I did give some thought to this. Suffice to say that my primary motive was to do the right thing by Mr. D.

      Meanwhile, you’ll have to excuse me. I’m getting a mess of texts from Twitter because somebody is failing to hack into my account there.

  • avatar
    Grenade

    I have the same dang problem with my gmail account. I get all kinds of stupid crap.

    This all sounds like a list of spam, but they were human generated emails to someone that shouldn’t be me, and no way to unsubscribe.

    University syllabus
    Car dealership quotes
    Retreat schedules
    Package delivery times

    Once I got a medical test report for a lady in Kentucky. It had so much PII data on there it was scary. So I called her up and let her know what was going on. I explained it about 5 times and it kept going over her head. And I feel like I can translate fairly technical knowledge to less technical people very well (it is my job after all).

  • avatar
    05lgt

    Hey Dan. I have a request regarding your posts to TTAC. Could you be more prolific? You hit the sweet spot between informing, alarming, entertaining and amusing.

    • 0 avatar

      Thanks! I figure that my niche at TTAC is talking about what happens when computers get stuck inside cars, since I’m a computer guy first and a car guy second. So when the muse strikes me, you’ll know it first.

  • avatar
    yankinwaoz

    As a rule of thumb, I use a clever feature of Gmail offers to protect myself against vendor incompetence and evil.

    Gmail lets you add a “+” sign to the user part of the address, and anything after that they throw away.

    For example: Lets say my gmail address is [email protected]
    Then when I register my card at Lexus, I use [email protected]

    When Lexus sends me an email, Google ignores away the +lexus, and sends it to my [email protected] account. This lets me set up a filter in Gmail to send anything sent to a folder, the trash, or whatever.

    However, I would not use +lexus. I would use a random string such as ‘+hh62sdf’ so that someone wouldn’t be able to easily guess what I have done.

    Now here is where that protects you. Lets say someone knows my real email address ([email protected]) and they want to get in to my Lexus account. They go to the “lost password” section and try “[email protected]”. Guess what? It doesn’t work. That is because Lexus doesn’t know what [email protected] is. They only know [email protected]

    Its not perfect. But it will slow down a hacker and perhaps make them move on to easier targets.

    Another benefit is that this method lets me know who sold my email address to spammers. If I get an email sent to [email protected] from a Nigerian prince, then I know that Lexus either (a) lost their data, (b) sold their data.

    Now… not all vendors will let you use an email address with a plus sign in it. Which pisses me off to end. Looking at you Wells Fargo. There is nothing wrong with that address. But they refuse to let me do that.

  • avatar
    mcs

    As far as I can tell, none of the automakers have offered a bug bounty program similar to organizations like Uber and the Department of Defense. I’m a member of the network of security researchers that DoD and other organizations have used, and GM is the only automaker that has even published a reporting policy with us. Even without the bounty, GM is getting results – I was able to pull up several reports.

    Uber is probably the best at proactively hunting for security holes. They published nice bounties for different types of bugs. Critical issues are $10,000. If the automakers are serious about security, they need to join a bounty program. Uber even gave us pointers as to where they thought there might be issues. So, if you are an OEM that’s concerned about security, talk to Uber and let them show you what they are doing. They’re the best right now.

    • 0 avatar

      Tesla also has a Bugs Bounty program. I’m a big supporter of these sorts of programs. Heck, I’ve had friends who’ve lived off the income from these things. The challenge, as in all things security-related, is designing it right from the beginning, and if not that, being able to evolve your design. It’s pretty easy for Tesla to push new firmware to their entire fleet of cars. It’s much harder for the other automakers.

      https://bugcrowd.com/tesla

  • avatar
    maserchist

    Someday a smart car will be designed. As an end time boomer, I will be long dead by then.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • ToddAtlasF1: If people cared about how cars drive, manuals wouldn’t be endangered.
  • Ryoku75: My main question is how Tesla will handle the preorders, if they do build a truck it’ll likely look...
  • Jerome10: This car is unbelievably hideous. I might actually say the worst in its segment. Even the steering wheel is...
  • EGSE: Maybe he was Bogarting a Cheech and Chong-sized doobie. You know that someone of his social standing will have...
  • gasser: I hope the seat cushions are a bit longer than in the past. As to the engine, I would like to compare the...

New Car Research

Get a Free Dealer Quote

Staff

  • Contributors

  • Timothy Cain, Canada
  • Matthew Guy, Canada
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Corey Lewis, United States
  • Mark Baruth, United States