Security

Laid-off employee uses coworker's password to disable car ignitions remotely

Using a former coworker's account name and password, a laid-off employee from an Austin car dealer remotely disabled the ignition on over 100 cars.

IT pros (assuming they have any) at the Texas Auto Center in Austin learned a valuable lesson in password security this week. According to Wired, an employee who was laid off last month is accused of using a Web-base vehicle immobilization service to disable the ignition system on more than a 100 cars.

The dealership used a system called WebTeck Plus from Pay Technologies (PayTeck). The system allows the dealership to disable vehicles of customers who don't make their monthly payments. The system can also be used to physically locate the vehicle and honk the horn-as a warning shot for nonpayment.

According to various reports, the disgruntled employee's account was disabled when he was let go, but he is accused of using a former coworker's user ID and password to access the system and wreak havoc on the dealership's customers.

I don't know how the ex-employee obtained his coworker's log on credentials. Dealership employees may have freely shared user accounts and passwords with each other. While still employed, the accused individual could have shoulder surfed a coworker while they were logging on. The account credentials could have been written down and stored in an unsecured location. Regardless of how this individual obtained a valid user ID and password, this event is a stark reminder of the very real consequences lax password policies can have.

Check out this video from the local NBC affiliate of an annoyed customer describing her experience.

The following TechRepublic resources can help you create a robust password policy:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

94 comments
taylorjamer11
taylorjamer11

That??s incredible???the question is..Does this company have systems auditor? or has an efecctive IT controls? I guess this company does not have an risk analysis effective???if the companys have a real controls not only in Kenda?? kenda parts the risk minimize it.! The company has to review their security plans.

CwnAnnwn
CwnAnnwn

"So that if you don't pay a collector can track the car down and can start it from stopping." Hmm, maybe that's what happened to the Toyota's! And once the car is paid off, is the device taken out? Seriously, this is a total invasion of privacy and this incident will likely drop this matter into the courts.

theccur
theccur

If people have information they genuinely want passord protected they tend to make the best effort they can, but work computer security is generally considered a nuisance and much of what is protected is considered insignificant. Sloppy security practices are the rule.

FortBragg_Surfgoddess
FortBragg_Surfgoddess

Who the Frak thought it would be a good Idea to allow someone this kink of access to a vehicle? I would never buy a car without having that removed for just this reason. I think someone needs to look inot the safety of this sort of device... OOOOOOO I am gonna change the passwords, yeah that will work for a while... Wrong, kinda funny, but still wrong.

mrudny
mrudny

I would not buy a car from that dealer even if I had money to pay for it in full up-front. There is no guarantee the dealer disables the technology once the car is paid for. It is no pleasure to drive a ticking time bomb which ignition is in the hands of irresponsible people.

DHCDBD
DHCDBD

The first of the three is that the technology should not be in place. I understand the dealer, but do not condone it. The other side is that shutdown and location technology is in place in all new vehicles sold by the dealer, by law if memory serves. The second problem is that there was improper access to the system both by the dealer and by Pay Tech. The third and most minor problem was the accused. If any of these the elements were not in place, then the incident could not have happened. I think a person should investigate whether the dealer informed the customers were informed of the shutdown and override device before beginning legal action.

blogs
blogs

Installing a technology that remotely immobilizes a car is a catastrophe waiting to happen. How can a remote administrator be sure the vehicle is not changing lanes on highway? It is so obviously unsafe that I am surprised the Highway Safety agency has not outlawed it. The blame for the bad judgement lies squarely with the dealership's top management - not with the employees. Management decided to deply an unsafe device. Hmmm - this took place in Austin TX. Isn't that where another angry individual trashed an IRS building wecause he felt disrespected?

.Martin.
.Martin.

before something bad happens, a password is just an annoying inconvenience.

JackOfAllTech
JackOfAllTech

Am I the only one who's shocked by the use of this system in the first place? If I found out a dealer in my neighborhood was using this, not only would I not give them any business, I would probably organize picketting there.

mandrake64
mandrake64

I agree, hacking is the wrong word. This guy did not spend hours researching code or tinkering with electronics to create a system/program to break into the car security systems. He used a commercially available web interface and an eavesdropped/shared account and password. If anything, it might be cracking, but for the fact he did not share the account and password details widely. But it sure beats him letting off an EMP to do a similar job of disabling them.

hexscyn
hexscyn

Since when do dealers house auto loans and finance people, let alone collections? sounds like the stories a little fishy to me.

brian.catt
brian.catt

I THINK THE USE OF IT IN VEHICLES IS BARKING MAD. I would never buy a vehicle someone can turn off remotely, what was the dealer thing of? Its a flaky technology and nothing so dangerous as a vehicle (particuarly driven by the non technical) should depend on software to work (see TOYOTA). Its only allowed in aircraft with triple redundancy, cars have NONE. Just buy cars with direct mechanical connections between driver and brake and accelerator. No software engineer can be trusted to write and fully debug solid code, as every Windows Computer and many Toyota vehicle owners know. Best,

J3
J3

Dealership should mandate that every employee password changes every 90 days or sooner.

oldbaritone
oldbaritone

Whether you realize it or not, Big Brother IS watching you. Thank-you, George Orwell.

JCitizen
JCitizen

Very informative and entertaining as well! HA! We all like to see the underdog stick it to da man! ]:) However, this disgruntled employee is in big trouble, and should be! X-( I've always felt like management should NOT treat employees like dogs, and not knowing the circumstances of this guy's layoff, I can't speculate. But I have seen some poor guys terribly abused by managers. I just hope this kid thinks going to jail for getting even is worth it; because he deserves to go to jail; if he actually did it, that is. Innocent until proven guilty - that is the motto we must not forget.

ProperName
ProperName

Unfortunately, since we don't know for sure how this password was stolen, we also cannot say for sure that the password in question was not a strong password or that the password policy in place was not a good one. It could even be that a good password policy IS in place already, but since the ex-employee knew that policy, he was also aware of what was needed to bypass it. For that matter, prior to his leaving, he may have installed some software to capture the information. There simply aren't enough facts shown to immediately assume that this password policy is/was not effective. My little rant effectively over, I also believe that it does take a disaster for end-users to finally see the light. However, after any disaster, it takes a minimal amount of time for the average end-user to become complacent once again. Once this occurs, we're back to square one. IT focuses more often on security, but often fails to continually test that security for leaks and holes from which breaches may occur. For this we blame the budget (see management). I would think your poll above should really ask, "Does it take a disaster for end users and Management to take password policies seriously?" I say this because, more often than not, it is management who is preventing a solid password policy from being implemented.

jmarkovic32
jmarkovic32

It will always take a breach, disaster or tragedy to spur on drastic measures. Why? Because people are selfish and don't want anything to negatively impact their productivity. And face it, security will ALWAYS impact productivity.

Richard Noel
Richard Noel

Were all of these cars subscribed to an On-Star like service? Or is there some other system that is installed on these vehicles solely for the purpose of tracking deadbeats? Either way, is there an easy way to disable it?

ShafferR
ShafferR

This is a serious and scary issue... Mostly, I just thought the video was funny... If you watch it closely about 43 seconds into the news broadcast the reporter actually says that the hacker manipulated the devices which would "Start the car from Stopping" instead of saying "Stop the car from Starting." I thought it was funny because, If you're late on payment, then (according to this reporter) the dealership will make you crash by not allowing you to stop... :-P All jokes aside though, this is the downside to technology, invasion of privacy is so easily accessible with so many new gadgets.

x167
x167

Duh. Most people don't even realize how much is at stake when using short or repetitive passwords

Al_nyc
Al_nyc

My least favorite thing is passwords that expire every XX number of days. That just leads to people having insecure, easily guessed, passwords. Or worse, it leads to people writing them down and "hiding" them near their computer. Which security genius thought password expiration was a good idea? Just force users to set one good password and let them keep it until you are sure there has been a security breach.

ijusth
ijusth

I agree that this is bad security but did anyone notice why this ability exists? The dealership can DISABLE a car becuase of non-payment!!! REALLY!!! IS this something that should be explored and exposed? An out of work single mother doesn't pay her bills and is out somewhere with the kids buying groceries and the dealership decides that this is the time to disbale the car and she is stuck in a parking lot. Come on ...

JamesRL
JamesRL

And the buyers of these vehicles bought the cars knowing that it was there. They chose that option, perhaps because these kinds of dealers were the only ones who might give some people with poor or no credit any kind of loan. As for safety, it doesn't stop the car, it prevents it from starting. This might be a problem if you are caught in the middle of the desert or in a snowstorm, but for most situations, not being able to start a car is not a safety hazard. If it was, then cars would have to be a whole lot more reliable. James

NickNielsen
NickNielsen

I've run out of creative ways to insult the intellect of people who can't read.

NickNielsen
NickNielsen

The customer is not only aware of the device, he interacts directly with it. These devices are used in cars sold by dealers catering to the bad/no-credit buyer. Each time the customer makes a payment, he is given a code to enter into the keypad to enable the device for the next payment interval. Click the links in the article and read the support material before you jump to conclusions.

NickNielsen
NickNielsen

The system is accessible to the driver and gives warning that a payment is due. Not only that, the device is usually set to activate at 4am, when most vehicles are parked at home, it doesn't shut down a running vehicle, AND there is an emergency code that provides a 24-hour override. Here's a news article: http://www.payteck.cc/news.html Amazingly, it was available through a link to the manufacturer's web site in the blog post.

NickNielsen
NickNielsen

If you've got good credit, you won't be shopping at one of these dealers anyway. This system is used by dealers catering to the bad/no credit market: the "We finance anybody" dealers. Links in the article provide the background information. The people buying these cars have [u]no other choice[/u] except no car at all or cash for a clunker. Yes, it's intrusive, but the customers not only know it's there, they interact with it. And this system can actually help improve people's credit by showing they are able to make payments on time. Been there, done that, and still having the occasional problem over 10 years later. Save your outrage for a system that makes it nearly impossible to establish credit or recover from credit problems.

smaknstein69
smaknstein69

Disgruntled employee? Criminal hacker? More like Freedom Fighter. What's next, a kill switch on pacemakers? This is an unwarranted intrusion on personal property. GPS? I don't even like the dealer badges on the back of the trunk lid. We don't need no steenking badges!

Dan Aquinas
Dan Aquinas

If one is worried about this kind of situation, and believes the effort expended justifies containment of the security risk, one could make the case that anytime an employee is let go, *everyone* must change their password.

leifnel
leifnel

"I've always felt like management should NOT treat employees like dogs, and not knowing the circumstances of this guy's layoff, I can't speculate." If you treat somebody like dogs, blame yourself, when you get bitten.

KJQ
KJQ

You nailed it. You can have all kinds of great policies and procedures around security (IT and otherwise), but if there are no consequences to users for violating them, then why would they follow them? The consequence must be as SEVERE ans the desire to enforce it (e.g. loss of use, fines, termination). How long did New Orleans stay 'civil' once the police were no longer able to enforce all the laws? There are days I want to sit down at every logged in computer here and send a nasty flame mail to our President from the offending user just to force a consequence upon them as an individual. The usual response of executives/politicians to come up with more rules/laws to punish the law abiders rather than the violators. Why ticket speeders wen you can just lower the speed limits by 50%. No wonder vigilanteism is so tempting.

Bill Detwiler
Bill Detwiler

Pay Technologies, LLC. does list reasons why a customer might want their system (such as it acting as a security system), but the company clearly markets their services to auto dealerships. According to the company's Web site: "PayTeck is a new method of ensuring payment for cars and equipment from customers who may have a less-than-perfect credit rating. It is a controller that allows you to disable the starter function of the vehicle in the case of delinquent payments." I can only speculate, but I would assume the terms of the purchase contract forbid the customer from disabling the system until the car is fully paid for.

JCitizen
JCitizen

would be tamper resistant, and tied to the vehicle burglar alarm. If I were designing this device, it would pop a flag on the server control at HQ, and indicate that a keep alive signal was lost on vehicle VIN# so on and so forth. I think you get my drift. If the signal dies, the repo man starts looking for you. That is probably in the rental agreement, I'm sure. Or at least they'd be fools for not including that factor into the rental agreement.

KJQ
KJQ

Finally someone else agrees with me. I've been in IT for almost 30 years and never understood this lame idea. I can go to just about any computer in our organization and find the password written on a post-it note under the keyboard or on the monitor. I probably don't need it because password protected screen savers aren't mandatory here and so they're probably still logged on 24x7 despite many warnings about backups and OS patching that doesn't happen. Basically, it will take at least another generation before either people won't be clueless about computers and computer security, or we have AI capable computers that can think for the users. I can go on and on with stupid user stories but right now I'm too busy fixing all the computers of users who said "yes" to the "your computer has a virus, click here to fix the problem..." browser pop-ups.

jmarkovic32
jmarkovic32

That idiot must have had a lot of clout. As a security-conscious engineer, even I behave like a normal user in everyday life when it comes to passwords. The fact of the matter is that we have so many of them and managing them all mentally is a huge chore. So we take the path of least resistance. It can even be argued that password resets make passwords less secure!

zenrender
zenrender

The problem with that plan is that a breach can go undetected (maybe the stolen password in this case was 20+ characters long and complex, but once it was stolen it's useless). Nobody knew this guy had his buddy's password until *after* the cars had been shut down. Timed password changes can mean that the password the ex-employee has lifted won't do anything by the time they decide to try to use it. I know in my experience that the higher up in the executive food chain someone is, the less likely they are to have a password rotation ("It's annoying to have to remember it") and so you can easily end up with President of a multi-billion-dollar company having the same password for email, contracts, budgets, HR, etc for YEARS without a change. That's an awfully large security hole to just leave open hoping that whomever might use it will be foolish enough to get caught, and THEN change the password.

jmarkovic32
jmarkovic32

How about this one? Someone intentionally buys a car they cannot afford and tries to elude repossession by moving from one area to the next. There are two sides to every coin. As long as the company or bank OWNS the property, they can do whatever the hell they want especially if they disclose this capability before the buyer signs on the dotted line.

nottheusual1
nottheusual1

This isn't a new technology. It's been used in the Southwest for years. The responsible person for the car note is quite aware of the unit being installed. And the technology is mature enough to not be a danger to a driver. It keeps you from starting the car .... Google the technology.

melias
melias

Imagine a worse scenario. Your wife is pregnant. She goes into labor, oops, the car won't start. Or perhaps you need to get to the emergency room. Any number of situations. This is just a large court case waiting to happen. Finally, the car is legally yours. What right do they have to install some device in it? If you stop payments, they reposses it.

SmoothIT
SmoothIT

What about cars that had the ignition disabled while on a freeway?

DHCDBD
DHCDBD

While you think you are correct, you are not. Read the manufactures web site. I believe that you will find that there is a completely web based system that requires no customer intervention. No customer intervention meaning - no code to enter, no device visible, etc. http://www.payteck.cc/Webteckplusad.pdf http://www.payteck.cc/aboutpayteck.html http://www.payteck.cc/Payteck_GPS_Spec_Sheet.pdf Two different systems. Which one was used? Now re-read the article. What is meant; which system? I made the assumption that the 100 disabled vehicles were of the web enabled type as both the web enabled and the customer intervention based systems were in use but only the web enabled vehicles did not start. How did you get into computers without the basic investigative and critical thinking skills? Sorry about the late response.

Dan Aquinas
Dan Aquinas

While I agree with you that people should read and *think* before replying, I re-read the headline and article, and the author uses the word "ignition system" when I think it would have been more appropriate to use the word "starter" (which did not appear in the article). That change alone would have saved time and "ink" from a lot of people that really was a waste. It would have even been better if a 3 sentence explanation of the technology had been included. It would have raised the level of discussion significantly!

blogs
blogs

The system described in the news article is under the primary control of the driver. The worst 'hack' that can happen is that the driver receives a bad code from the rental office. This type of system cannot be unknowingly/secretly deactivated. The system described in the parent article allowed anyone with access to the software and vehicle information to remotely deactivate the vehicle, without the knowledge of the owner/driver. That presents a real safety threat.

JCitizen
JCitizen

and on the other side of the coin, it seems like the dog sometimes bites the hand that feeds him; and unfortunately again, some people are just like animals(dogs). :(

leifnel
leifnel

If the options are A: lower interest and a trackable car B: Higher interest, and a non-trackable car C: No car. Many people would probably select option A. Here, an insurance company gives you 40% discount, if you let them put in a black box, tracking the speed. If you are responsible for an accident, then for every km/h over the speed limit (+5km/h), they deduct $180 from their damage payment. Your choice; for young drivers in fast cars it can be a difference of $3500 a year in insurance premium.

SMparky
SMparky

Wow, finally someone else said it. Password expiration doesn't help, it makes it harder to maintain security. And password protected screen savers should be mandatory. I know one woman who caught a cleaning guy playing games on her computer one weekend. People just don't seem to get it. Another issue is disabling old accounts, and even have some security for creating new accounts. Any sysadmin could create a back door account to use if they want, particularly in a system with 100's of accounts. And do they think that maybe it wasn't an ex-employee who did this, but a current employee who isn't happy and saw a co-worker leaving as a good cover to cause some trouble?

Al_nyc
Al_nyc

If someone gets your password, they will test it before they use it. A message showing the last time you logged in and the ip address is all that is needed to check on that. I always look at that message on the systems that provide that info.

Cerebral*Origami
Cerebral*Origami

You lose a couple of cars to car thieves (and I think someone moving around like this would be very rare) or you lose tons of business because people dont want to take the chance that their car will be disabled. It doesn't even have to be a disgruntled employee. One typo and your car get shut off instead of the correct person's or the database is corrupted maybe the signal goes out due to an electronic glitch. They should just stick with the tracking device so they can find it to repo it. I know I''ll never buy a car someone else can control - I'd stick with old junkers first!

jtruebe
jtruebe

The car is usually NOT yours if you're making payments on it. It is the property of the lien holder, who has every right to install such a device. If the car WAS legally yours (meaning fully paid and no liens against it) and it was repossessed, that would be something called Grand Theft Auto... and I'm not referring to a video game. That said, I think such devices are lame and can cause serious issues. But if you can't make the payments, you shouldn't have purchased the car. Sure, no one can foresee losing their job, but the lien holder has a right to protect their asset how they see fit.

djmalone
djmalone

Here is an even more common senario You have a standard transmission car and pull out in front of traffic thinking you have plenty of time except you let the clutch out too fast and stall the car. Normally you would quickly restart the car and move clear of the traffic except it has just been disabled and you take a hit in your drivers door (normally fatal).

mcbinder
mcbinder

Imagine your wife is going into labor, you didn't pay your car loan for a few months, you go outside and, oops, the car is GONE! In the "old days", the guys come in the middle of the night and get your car. This is just a way of: 1) Locating the car 2) preventing you from moving / hiding the car from the rightful owners, the re-possessors. You don't own anything that has a lien on it until it is paid in full. mcb

JCitizen
JCitizen

you do have some ownership rights, but they would be very different to outright purchasing of a vehicle. I'd say it is a system that was bound to happen with all the technology coming on board in the auto industry. Police can already disable On Star vehicles, I would not doubt but what the government hasn't hacked a way to disable all autos built after a date where almost all of them have started installing what is basically a PC to control onboard systems in vehicles now.

zenrender
zenrender

I've seen this sort of system (in a shared car co-op) and usually it's only to disable the STARTER, not to actually turn the car off while it's on. Once it's running, it's running. I agree that it can mean people are stranded in a parking lot somewhere, though.

santeewelding
santeewelding

When you bet your all -- as you are prone to do -- on specifics, standing in for The Ultimate, you risk Everything. Entertaining, I say.

DHCDBD
DHCDBD

I did read the posts below yours. I felt they did not go far enough into the details. Those posts went into how I may have misread the topic and why. They failed to go into the details from the site that showed there were two systems, one of which was wen enabled and required no customer intervention.

NickNielsen
NickNielsen

If you followed the thread below my post, you would have noticed that I have been corrected already. This would have saved you some time, effort, and bits. How did you get into computers without the basic investigative and critical thinking skills?

Dan Aquinas
Dan Aquinas

Excellent point Nick about the layers between the source and the reader. It's too bad such "flag/tip-off" words like "according", "alleged" and even the humble "may" cannot be high-lighted in red as a convenience to the novice and/or lazy reader to alert them. Not every one is on their toes like you appear to be, but then, those 10 years of experience are probably a very good "teacher".

NickNielsen
NickNielsen

I've been on TR for over 10 years and am used to the articles hitting the high points, but providing links to background and supplemental information. And the author used "ignition system" after the phrase "According to": [i]According to Wired, an employee who was laid off last month is accused of using a Web-base vehicle immobilization service to disable the ignition system on more than a 100 cars.[/i] Now I have two layers of press between me and the source. That, to me, is a warning to research the subject myself to verify the accuracy.

NickNielsen
NickNielsen

The one is a web-activated variation of the other, and the 911 capability still exists. I could be wrong. I've tried to find more information about the system in question, but all I get are circular references to the original news story and the pdf advertisement posted on the manufacturer's web site.

NickNielsen
NickNielsen

Most Americans much prefer an automatic. That way they don't have to actually learn to drive. They can get away with just aiming...and putting on makeup, combing their hair, shaving, reading, writing, texting, and all the other stupid things Americans do behind their wheels at highway speed.

waltz
waltz

....just park on a steep hill!

modeler4
modeler4

A whole new market, fill er up with some cheap fuel that just gives enough power to idle, with fuel switch for regular gas, WARNING - Don't do this in your closed garage! I want one of these things, does Radio shack sell them?

TheProfessorDan
TheProfessorDan

I can see people that are over four days past their payment just keeping their cars running.