Disgruntled Ex-Auto Dealer Employee Hacks Computer System To Disable Over 100 Cars

from the welcome-to-the-new-world dept

Ah, the fun of the electronic age. A few years back we started hearing about tools to remotely disable a car. These were talked about as a security system to recover stolen vehicles, but also as a device to put on leased cars, in case they need to be repossessed. Of course, once you put that technology on the car, what's to stop someone from abusing it? Turns out that a disgruntled ex-employee of a car dealership that put such a technology on its cars, was able to log into the computer system using a former co-workers account and then started methodically targeting the cars that used that system:
Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.
Good thing he wasn't fired from a hospital that used internet-connected pacemakers, huh?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    mike allen (profile), Mar 18th, 2010 @ 2:34am

    mmmm

    revenge is sweet now any one peter mandlesons IP address?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Mar 18th, 2010 @ 2:52am

    Re: mmmm

    Does his car have remote connection? Now that would be fun!

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    DevConcepts (profile), Mar 18th, 2010 @ 4:26am

    Hack? Don't think so

    Please... Just because he took another users login & password does not make it hacking.

    He was a hack for using his own computer.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Mar 18th, 2010 @ 4:43am

    If the people are smart...

    They'll sue the dealership.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    :), Mar 18th, 2010 @ 4:57am

    Causing grief to customers is bad, for me is like spitting on food in a restaurant or worse.

    The guy is blinded by rage and forget he is hurting others that have done nothing against or for him.

    I think the guy should be forced to sit through lengthy lectures about why what he did was wrong or be forced to do community service as he did wrong society and he should make emends somehow.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    georgied, Mar 18th, 2010 @ 5:05am

    Hack? What hack?

    I don't get why every site is headlining this as a hack. Nothing was disassembled or made to do something it wasn't. It was just a disgruntled ex-employee abusing a system, a system which was doing exactly what it was designed to do.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Steve R. (profile), Mar 18th, 2010 @ 5:13am

    Only the Beggining

    Technological advancement has its pluses and minuses. Unfortunately, stories such as these make the headlines. The Luddites then start foaming at the mouth with indignation. We need to adapt, not condemn.

    The New York Times, for example, wrote a rather pointless article on how automating (remotely) the reading your electric meter raised privacy concerns. So what. The utility companies have been collecting this data for eons, the only difference is that it is automated and does have a higher "resolution" (real-time versus monthly).

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Noah Body, Mar 18th, 2010 @ 5:22am

    There is a hack, but not in the original sense

    @georgied It's a "hack" because the term has been warped from the act of modification of an object to preform something it wasn't designed to do to meaning doing anything with a computer that is, at the very least, arguably unethical. I can't say I'm a fan of this current definition being a hacker in the old sense myself, but that's where we're at.

    At face value this simply seems a case of possible social engineering since this disgruntled guy used another person's credentials to access a system he wasn't supposed have access to at the time. Sigh... that just shows that any system is insecure thanks to users. However they are a necessary evil. With no users there would be no reason for the system.

    I'm sure I'm preaching to the choir on this one but keep your usernames and passwords yours!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    John Doe, Mar 18th, 2010 @ 5:38am

    Just another reason why

    I love technology, heck I am a computer programmer, but I hate letting anyone other than me have access to my devices. I do not want remote access to my car or anything else. This includes letting the power companies "manage" my energy usage as the greeners would have them do.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    K Jeacoma (profile), Mar 18th, 2010 @ 5:46am

    See?

    When I was in college, learning network administration, my professor told us on the first day.."You are Gods- and never let them forget it.."

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    senshikaze (profile), Mar 18th, 2010 @ 6:41am

    Re: Hack? What hack?

    well considering, imho, the popular use of the word "hack" is wrong in essence, this isn't really all that surprising. I really wish they would switch to crack, since hacking doesn't even make sense in most cases it is wrongfully applied. A hack is generally a non-harmful trick to get something done ("I hacked together spare junk for a purpose), whilst cracking is a harmful use of technology(or social engineering in this case) to cause pain or suffering or to perpetrate a criminal act.
    I know plenty of hackers, but know very few crackers.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    zerojj, Mar 18th, 2010 @ 6:43am

    wondering why the system doesnt have some controls for this sort of thing, and heck even a way to prevent a single real, authorized employee from going rogue?

    it seems a simple solution to a lot of these issues is to require two authorized users input to shutdown a car

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    senshikaze (profile), Mar 18th, 2010 @ 6:45am

    Re: See?

    I need to remember that...

    My professor just told us we would all be raging alcoholics within ten years and gave us a chance to back out.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    scarr (profile), Mar 18th, 2010 @ 6:46am

    Re: Only the Beggining

    Thank you for highlighting this point. It's fear-mongering.

    One counter-argument I read suggested that the technology was dangerous in case someone had an emergency, and couldn't drive the disabled car. Since when did people get the right to drive vehicles they didn't pay for in emergency situations? That's justifying grand theft, and it's stupid.

    The story demonstrates a problem with the dealer's (and possibly the technology company's, but I don't know for certain) procedure and/or security, not an inherent problem with technology.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Coughing Monkey (profile), Mar 18th, 2010 @ 7:21am

    we should bring back the buggy whip even if only to whip this guy till his eyes bleed

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    IOERROR, Mar 18th, 2010 @ 7:31am

    Funny

    You guys know the first rule if you want to access another computer is to try an obtain a users info right? Just because he didn't brute force crack the password doesn't mean it's not a hack. The end result is the same. He accessed a system he did not have access to, thus he HACKED it.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Mike, Mar 18th, 2010 @ 8:12am

    Repo's not Hacks.

    Definitely not a "hack", but hilarious still. I read on the original Wired Magazine report of this story that the vehicles were recently featured on http://repofinder.com and some of the buyers were thinking they got ripped off buying lemons from their Credit Unions.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    btr1701 (profile), Mar 18th, 2010 @ 8:27am

    Re: Re: Only the Beggining

    > That's justifying grand theft, and it's stupid.

    Don't be ridiculous.

    Failing to make a payment (or making a late payment) on a vehicle loan is in no way "grand theft". If it were, the police would be routinely arresting and sending people to prison for it. As it is, the most that can happen is a tow truck shows up and takes the car back.

    It's a simple breach of contract (a civil, not criminal matter). Nothing more.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Ccomp5950 (profile), Mar 18th, 2010 @ 8:29am

    Re: Funny

    1 (and 2) You don't talk about haxxerdom!

    3rd rule is have really cool 3d screen savers playing in the background so it looks like you are doing something others won't understand. Bonus points for physics equations being in there as well.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    The Infamous Joe (profile), Mar 18th, 2010 @ 8:31am

    Re: Hack? Don't think so

    I concur, but by the letter of the law, any access to a system with a password that you aren't authorized to access is lumped under "hacking". It doesn't seem to take into account how access was gained.

    But, now he can tell his friend(s) he's going to jail for being a hacker-- that's some good geek street cred right there. :)

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    The Infamous Joe (profile), Mar 18th, 2010 @ 8:36am

    Re: Just another reason why

    I'm confused. Do you *really* not want remote access to your car, or do you not want *someone else* to have remote access to your car.

    I only ask, because I *do* want the ability to control my car from a remote location. (We'll ignore the fact that I have no real use for this feature.) I think it would be cool. :)

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Mar 18th, 2010 @ 8:46am

    Lots of Questions

    1) Are customers informed of this 'feature' when they buy the car?

    2) Are these black boxes removed from cars who don't use dealer financing?

    3) Is the black box removed when the car is paid off? If not, does the dealer's access get revoked somehow?

    4) Does the car owner have access to this feature? Can he disable his car while he's away on vacation as an extra security measure?

    5) Do bad things happen if the car no longer receives signals from the network? e.g. If the owner places a Faraday cage around the thing, or Pay Technologies goes out of business and stops transmitting, what happens. Does the car need a periodic ping to stay alive?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    John Doe, Mar 18th, 2010 @ 9:09am

    Re: Re: Just another reason why

    I do want to control my stuff myself. I do not want anyone else to have the ability to do it.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    John Doe, Mar 18th, 2010 @ 9:16am

    Re:

    What is needed is levels of authority. Though it would still be possible to guess the credentials of someone with enough authority. But the number of people with the proper authority should be kept to a bare minimum.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Joe Dirt, Mar 18th, 2010 @ 9:17am

    Re: Lots of Questions

    Exactly, what kind of fail safes are built into this system?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    A/C, Mar 18th, 2010 @ 9:25am

    Removal of Boxes

    I'm wondering just how often someone good with a screwdriver and a soldering iron just removes the box from a car that he/she purchased in this manner. Seems, like it would go a long ways towards eliminating the problem. If they hooked the box up to a 12 volt power source after removing it, and left it in their garage, that would pretty much make the entire system useless.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Money Mike (profile), Mar 18th, 2010 @ 9:34am

    Re: Re: Hack? Don't think so

    Listen, I think we can all admit that there is no such thing as "geek street cred." Unless you're talking about cred amongst other geeks, but even that is pretty rare.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Mar 18th, 2010 @ 9:43am

    Re: Lots of Questions

    I dug into the product specs to answer my own questions:

    1) Yes

    2) Yes

    3) Ideally yes, but what happens if the dealer goes out of business?

    4) Yes, for an extra fee.

    5) In addition to the dealer remote control that the article highlights, it looks like the driver needs to enter a dealer provided code every few weeks to keep the car running. Sounds like bad things might happen if the dealership or pay-tech folds and can't provide you with your next week's DRM code.

    -In addition, it has an added gps(?) feature to help dealers (and their disgruntled ex-employees) locate cars that they want to repossess. -- Obvious privacy implications to consider.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    Nastybutler77 (profile), Mar 18th, 2010 @ 9:47am

    Re: Re: Hack? What hack?

    "I know plenty of hackers, but know very few crackers."

    I prefer "caucasian." Or if you must, "honkey."

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Mayor Milobar, Mar 18th, 2010 @ 10:30am

    Ubi-Dealership coming next year

    I can't wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car. If at any time you lose connectivity, your vehicle automatically shuts down. But don't worry, the online system saves your state, so as soon as your network connection is re-established your vehicle will resume traveling in the same direction and at the same speed.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    dan, Mar 18th, 2010 @ 10:38am

    Re: Hack? What hack?

    every site should be watching this because its not a safety feature, its a massive technical screw up and were all to blame.computers inside cars dont stop accidents.what they do accomplish is breaking and causing expensive repairs on brand new vehicles that need a tow to a dealership full of idiots that wont even know whats wrong.people have been driving cars without computers for a long time! can you believe that???type that in to your 600$ Idick phone.the best part about all this is young kids believe in technology like its mother nature.yea i said it.....Idick phone.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Mar 18th, 2010 @ 10:51am

    Re: Re: Only the Beggining

    That's justifying grand theft, and it's stupid.

    Stupid is trying to claim that being late on a payment is grand theft.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Mar 18th, 2010 @ 10:57am

    Re: Lots of Questions

    Pay Technologies goes out of business and stops transmitting, what happens.

    You mean like what would happen if a DRM server went away? Oh, that would never happen! (snort)

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Steve R. (profile), Mar 18th, 2010 @ 11:18am

    Re: Ubi-Dealership coming next year

    Endless permutations!!!
    You wrote: "I can't wait until Ubisoft diversifies into the automobile market and requires an always on internet connection to be able to drive your car."

    Late on your car payment - car turned off.
    Run a red light - car turned off.
    Late on your maintenance - car turned off
    Auto incident above a certain "G" force - car turned off.
    In car DVD player, unauthorized content - car turned off
    Ford parts installed in a Chevy - car turned off.

    Lawyers - $happy$

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    Nastybutler77 (profile), Mar 18th, 2010 @ 1:29pm

    Re: Re: Hack? What hack?

    Okay, grandpa. How far did you have to walk to school each day? Keep wishing for your "golden era."

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Apr 7th, 2010 @ 9:12am

    gay

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Kevin, May 7th, 2010 @ 4:28am

    Used Trucks

    What id some one purchases a Used trucks for sale and the gadget is installed to it, is it transferable

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    william (profile), Jun 5th, 2010 @ 9:58am

    BMW Cars

    This is a wonderful opinion. The things mentioned are Great and needs to be appreciated by everyone. BMW Cars

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    william (profile), Jun 5th, 2010 @ 6:55pm

    Car Motorcycle Parts

    Thanks for sharing. I learnt a lot from your site. I would also like to share some very useful information with you all.
    Car Motorcycle Parts
    This is a very good site. Thankyou.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    daniel lord, Sep 7th, 2010 @ 3:33pm

    Maybe it would have been a hack if...

    Perhaps it would have been a bit more of a hack if he had used pc remote access methods to sneak into the network and then make the changes.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Jaqes, Sep 18th, 2010 @ 1:50am

    Texas Auto Center noticed that someone had been messing around with the information and vehicles of their customers. Thanks to share what was exact story behind it. Machinery for sale

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anthony, Jul 31st, 2013 @ 3:41am

    Funny Guy! Hacking into computer systems!!

    This guy was in the wrong profession if he could hack into the database like that!! I was actually looking for posts about buying a new car and found this one! very funny!

    If someone is looking to buy a new car here is an interesting article about the best time to buy one I just read http://www.lifedaily.com/when-is-the-best-time-to-buy-a-car/ hope you find it useful too.
    A.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This