back to article Connected car in the second-hand lot? Don't buy it if you're not hack-savvy

Cars are smart enough to remember an owner, but not smart enough to forget one – and that's a problem if a smart car is sold second-hand. The problem is as simple as you could imagine: people shovelling apps and user services into cars forget that the vehicle nearly always outlives its first owner. The global head of IBM's X- …

  1. Oengus Silver badge

    Hackers dream

    The Register can't help wondering what that's going to look like once a bunch of vendors have talked different vendors in different industries to implement different identity management and access revocation solutions

    With all of these self interests at work there will be security holes that you could drive a double decker bus through...

    1. Anonymous Coward
      Anonymous Coward

      Re: Hackers dream

      With all of these self interests at work there will be security holes that you could drive a double decker bus through...

      .. which makes me wonder what this would do on a double decker bus. Sorry, carry on..

      :)

      1. Mike Moyle Silver badge

        Re: Hackers dream

        ".. which makes me wonder what this would do on a double decker bus. "

        Oh they used to laugh at me

        When I refused to ride

        On all those double-decker buses

        All because there was no firewall on the top.

        -- "Twisted" (with apologies to Ross & Grey)

    2. Phil O'Sophical Silver badge
      Coat

      Re: Hackers dream

      With all of these self interests at work there will be security holes that you could drive a double decker bus through...

      Somebody else's double-decker bus, controlled from your phone.

    3. Locky Silver badge

      Re: Hackers dream

      I don't know what you're all so worried about. Security is top of the list of these car manufacturers.

      It's not like one would broadcast an advert telling the world what it's default password is...

      Oh

  2. Winkypop Silver badge
    Happy

    Everything old is new again

    Saw an old car of mine some 10 years after I sold it. After the shock of realising it was still getting around, I surreptitiously reached behind the number plate to find my 'secret' key was still in place...

    1. Magani
      Facepalm

      Re: Everything old is new again

      In the bad old days of cowboy car dealers in the late '60s, I traded my Austin 1800 (yes, I know...) in with 45,000 miles on the clock. About a month later, I saw it parked in the city, and just out of curiosity, went across to have a look at how the new owner was keeping it. The odometer now read 19,000 miles.

      (They had removed my spare key, though.)

      Wouldn't happen these days, would it....

      1. FlossyThePig
        Headmaster

        Re: Everything old is new again

        Wouldn't happen these days, would it....

        If you have a car that is older than three years it requires an MOT test and the certificate shows the mileage from previous tests.

        Perhaps:

        - You never look at the certificate;

        - You only own cars less than four years old;

        - You no longer own a car.

        Whack-O!

        1. Anonymous Coward
          Anonymous Coward

          Re: Everything old is new again

          "If you have a car that is older than three years it requires an MOT test and the certificate shows the mileage from previous tests."

          In the UK a private seller can sell a vehicle with a re-clocked odometer legally as long as they disclose the fact.

          I rode old British motorcycles as main transport for many years, and the vibration would routinely kill speedometers. Every time I fitted a new speedo the indicated mileage was zero again (but I was always honest about the true mileage when selling a bike). After a few speedo replacements the mileage on MoT certificates bore no resemblance to reality.

          More recently I owned a 15-year old car with less than 20,000 miles on the clock - for the second time, as it started at zero again at 100,000 miles. Over the few years I owned it I had several "low mileage" MoT certificates, the point being that the mileage on a previous certificate isn't necessarily a true figure.

          1. Dan McIntyre

            Re: Everything old is new again

            I rode old British motorcycles as main transport for many years, and the vibration would routinely kill speedometers.

            I rode a 1938 Argson tricycle across the Alps in 2011 and found the same problem - the speedo first stopped working and then dropped off altogether eventually. Minor issue though compared to the chain stretching, the idler shaft snapping halfway up a swiss mountain on a sunday etc etc.

            BTW, we managed to find a garage on that mountain, open and they let us use their welding gear to fix the idler.

        2. HieronymusBloggs Silver badge

          Re: Everything old is new again

          If you have a car that is older than three years it requires an MOT test

          There are plans to re-classify vehicles over 30 years old as 'classic' and exempt them from MoT tests. At present the exemption only applies to pre-1960 vehicles.

        3. Magani
          Holmes

          Re: Everything old is new again

          @FlossyThePig

          Perhaps:

          - You never look at the certificate;

          - You only own cars less than four years old;

          - You no longer own a car.

          or perhaps I live in a country that isn't the UK?

          1. Prst. V.Jeltz Silver badge

            Re: Everything old is new again

            I have a car imported from japan. I fitted a uk speedo , and tried to adjust it for the correct mileage.

            I was half asleep , and instead of 75 k miles it has 10 times that.

            Some of the MOT certs notice that , some assume its 75 ish.

            I dont really care. Me and any potential buyer know what we're looking at.

            I must say the new accessible mot mileage records must have almost eliminated "clocking".

            1. imanidiot Silver badge

              Re: Everything old is new again

              Not really. It's just done differently now. It's rather easy to adjust the odometer on modern cars (Requires a CANbus controller and some hacking skills, especially knowing which modules store the mileage, so that you can reset ALL of them so as not to leave a trace).

              This is most useful on new cars, but what you basically do is set the mileage to a much lower value before each MOT test (Or APK in the Netherlands). Over the years this means you have a much lower mileage count on the odometer than the vehicle has actually made. Then you can sell it for much more than it's actually supposed to be worth because it's a "low mileage" vehicle. Since the mileage year on year still increases and there are no weird jumps either way, the authorities still give you the genuine/logical mileage declaration.

  3. redpawn Silver badge

    Nothing will be done

    until there is a sensational case of a former owner doing something unspeakable to a young...

    1. Anonymous Coward
      Anonymous Coward

      Re: Nothing will be done

      Nothing will be done

      until there is a sensational case of a former owner doing something unspeakable to a young...

      Hey, no need to drag the Catholic Church into this one.

      :)

  4. macjules Silver badge

    "Without naming the machine's maker"

    Not many cars around that use apps to control them .. dare I mention Tesla? The procedure for transferring ownership is pretty hard:

    Old owner:

    DVLA transfer

    Log out of the app

    Inform Tesla of the transfer of ownership and also send a copy of the registration

    New owner is required to inform Tesla of:

    Colour copy or photo of current driver’s licence

    Copy or photo of vehicle registration

    Phone Number

    Email Address (the email use for My Tesla Account)

    Home or mailing address

    Might be easier to buy a much older car that doesn't have apps to control it.

    (PS: I'm a Tesla owner)

    1. BebopWeBop Silver badge

      Re: "Without naming the machine's maker"

      Well they are certainly doing a reasonable job attempting to identify the new owner, but the euqestion remains, are all the access controls also zeroed to startup?

    2. 0laf Silver badge

      Re: "Without naming the machine's maker"

      "Not many cars around that use apps to control them", only pretty much every BMW from the last few years.The app can track the car and open it and can't be disabled by the owner.

      1. Wade Burchette

        Re: "Without naming the machine's maker"

        "The app can track the car and open it and can't be disabled by the owner."

        I would like to see it work with its fuse pulled.

        1. Charles 9 Silver badge

          Re: "Without naming the machine's maker"

          "I would like to see it work with its fuse pulled."

          Sure, only will you have a working car at that point. Never underestimate the deviousness of Big Brother so that one cannot disable the telemetry without disabling the device altogether: all or nothing.

      2. Dan 10

        Re: "Without naming the machine's maker"

        I just got rid of a 2014 5 series on Friday. I now cannot log in to the app on my phone.

        Also, even if I managed to log in, the app checks the car's location. If it's more than 1.5km away from the phone, it refuses to provide any info 'for privacy reasons'.

        The only hidden nugget on that car is Faithless's The Dance on the hard drive.

    3. Steve Davies 3 Silver badge

      Re: "Without naming the machine's maker"

      So Tesla's USP is that 'the car owns you' then?

      with all that information on you you are going to get pawned and that's almost a 100% sure fire guess.

      Obviously, the next step will be for the Tesla (other makes are available) to draw blood from the driver and do an onboard test for

      - Is the sample from a registerd driver

      - is the sample from someone who is insured to drive

      - is the driver drunk or under the effect of drugs.

      Then it will check all poilice databases to make sure that there are no outstanding warrants for the driver arrrest. If it finds one then it will lock the doors, immobilise the cars and call the police.

      And all you wanted to do was put the thing in the garage instead of leaving it on the driveway over night.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Without naming the machine's maker"

        "[...] to draw blood from the driver and do an onboard test"

        That will be fun trying to start the car on a cold winter's morning when hands are too cold to produce even a micro-spot of blood.

        1. Adrian 4 Silver badge

          Re: "Without naming the machine's maker"

          The machine won't give up. It will just keep digging until it strikes blood.

          1. allthecoolshortnamesweretaken

            Re: "Without naming the machine's maker"

            "The machine won't give up. It will just keep digging until it strikes blood."

            So, once again, life will imitate art?

    4. nilfs2

      Re: "Without naming the machine's maker"

      Why do I have to ask Tesla for permission to sell MY car? One more reason why all that electronic gadgery doesn't belong on a car, GPS is as far as I will go with the gadgets, and that's on my phone, not on my darn car.

      1. allthecoolshortnamesweretaken

        Re: "Without naming the machine's maker"

        "Why do I have to ask Tesla for permission to sell MY car?"

        Good question... is it really YOUR car, in the sense that you actually OWN it and can do with it whatever you want?

        I don't know the particulars in Tesla's contracts, but lately I have been noticing a tendency amongst makers of vehicles to regard their products not so much as sell-and-forget physical things, but rather as intellectual property on wheels that the "buyer" may use for some time, within clearly defined (and somewhat repressive) parameters.

      2. d3vy

        Re: "Without naming the machine's maker"

        "Why do I have to ask Tesla for permission to sell MY car"

        There's a simple answer. You don't.

        You can inform them of the sale (I'm sure the new buyer will insist on it so they can register for all of the connected services and access to the electronic service records)

  5. jake Silver badge

    Now ask me why ...

    ... I drive pre-1970 "enhanced restorations". (There are a couple from 1972 in the fleet, and the Peterbilt is this century ... ).

    1. Anonymous Coward
      Anonymous Coward

      Re: Now ask me why ...

      ... I drive pre-1970 "enhanced restorations".

      You don't want to be allowed in Central London anymore when the new pollution measures come in?

      I love old cars too (especially the 60s models because they're just mad) but there is no way anything older than approx 10 years is as good environmentally as what is produced today. I suspect even VW will now be OK for a while.

      That said, I look at the full picture. Unless we find a better way to produce electricity I don't think electrical cars are the answer either, at present we simply push the pollution elsewhere :(.

      1. Stephen Wilkinson

        Re: Now ask me why ...

        While the environmental output of the engine isn't anywhere near as good on classic vehicles, not building a new car is even more environmentally friendly!

        1. 0laf Silver badge

          Re: Now ask me why ...

          Can you imaging any government saying "as an environmental measure we're going to encourage the citizens not to buy stuff and to incentivise repairs and maintenance".

          As opposed to "old stuff bad, new stuff good"

          No, me either

        2. Eddy Ito Silver badge

          Re: Now ask me why ...

          Putting the environmental friendly bit aside, the newer cars are much safer than the older models. Just look at the IIHS 50 anniversary crash between a 2009 Malibu and a 1959 Bel Air or Stuntbusters 2002 Caddy vs 1962 Caddy. While the '62 Caddy had the benefit of a more square on hit the driver still isn't walking away. Even later models from the early '90s don't have anywhere near the safety features of new cars which is very clearly demonstrated by the video of a Mexican spec 2015 Tsuru (essentially a cosmetically updated 1992 Nissan Sentra) and a U.S. spec 2016 Nissan Versa.

          Folks may like the old cars because they won't see much damage from a random ding in the parking lot but they are nowhere near as safe in a high speed crash.

          1. Anonymous Coward
            Anonymous Coward

            Re: Now ask me why ...

            "Folks may like the old cars because they won't see much damage from a random ding in the parking lot but they are nowhere near as safe in a high speed crash"

            The old Range Rover had solid steel bumpers attached to the solid steel girder chassis. A neighbour once reversed into it one frosty morning. I later wondered about the paint scratch on the front bumper - until he came to apologise and showed me his car's crushed rear end.

            One problem was that you couldn't get into a tight kerbside parking space and use the bumper "ding" method to judge the neighbouring cars' bumpers proximities.

          2. Fonant

            Re: Now ask me why ...

            newer cars are much safer than the older models

            Possibly, although (a) newer cars are a lot heavier and go a lot faster so they have significantly more kinetic energy when moving and (b) safer for the vehicle occupants, perhaps, but not necessarily for pedestrians, cyclists, dogs, etc.

            There's also the problem of risk compensation, where humans tend to convert safety enhancements into performance enhancements. Knowing you have excellent brakes allows you to drive faster and brake later, compared to a car with known-rubbish brakes. All very well until something unexpected happens, and every single "accident" on the roads is unexpected.

            1. Eddy Ito Silver badge

              Re: Now ask me why ...

              Newer cars certainly aren't heavier in the US. The IIHS test pitted a 2009 Malibu at between 3400 to 3500 lbs with a 1959 Bel-Air with a 6 cylinder at 3500 to 3600 lbs so it's a pretty even match. For the Cadillac matchup the older model weighs in at 4500 lbs and the newer one at 3800 lbs so the newer one is actually giving up 18% or so.

              I don't see either being particularly friendly to anything outside their respective envelope but the newer ones certainly aren't more dangerous to pedestrians and such. One might even argue that the softer rounded corners present less of a hazard than the older squarish designs and that some newer designs also have better visibility so as to better detect the presence of people and animals which may be preparing to cross ahead.

              Some time ago when crumple zones were just becoming a thing I had both an old 60's sedan and a newer car it was interesting to look at the insurance quotes. The line items for repairing each differed greatly and I asked if it was because parts were that much more expensive for the new model. My insurance agent said it wasn't really the individual part cost but it was that given a minor fender bender with no injuries the newer car would suffer quite substantial damage and be very costly to repair while the old tank would have little more than a scratch.

              1. Anonymous Coward
                Anonymous Coward

                Re: Now ask me why ...

                Modern cars are MUCH safer to both pedestrians and the occupants. Crumple zones, bonnet design, engine location, seat belts, pre-tensioning seat belts, airbags, bumper design, ABS, stabilty control, A-pillar design, floor pan design and on and on and on.

                Now, nothing we can do about people buying Chelsea tractors to pop to Tesco's in.

      2. gryphon

        Re: Now ask me why ...

        Indeed. Was there not a story on here a while ago where a Singaporean bought a Tesla or similar and got a massive unexpected environmental tax bill?

        i.e. The govt. had also taken into account the CO2 produced by the power station making the electricity to charge it.

      3. Ogi

        Re: Now ask me why ...

        >I love old cars too (especially the 60s models because they're just mad) but there is no way anything older than approx 10 years is as good environmentally as what is produced today. I suspect even VW will now be OK for a while.

        Fun fact, when I take my 1981 manufactured sports car to the MOT, not only does it fly past the emissions tests for the year of manufacture, they told me it easily beats 85% of modern cars in emissions output.

        Admittedly that is because most people drive a car until it stops working, then patch it up and continue, so cars are always at the near extreme of failure, and usually are barely passable in the emissions tests (not including the dodgy diesels which would be a MOT failure in any respectable garage, yet are still on the road).

        The big improvement in emissions came with ECUs, fuel injection and ignition control, which replaced the carbs of old, starting in the late 70s/early 80s. Since then it has been mostly minor refining in emissions.

        Most of the changes were in engine sizes (small engines with forced induction vs larger NA engines), making cars a lot bigger and heavier, lots of added safety airs, and seemingly making them far harder to drive (e.g. reducing visibility due to really thick pillars, especially at the rear).

        > While the environmental output of the engine isn't anywhere near as good on classic vehicles, not building a new car is even more environmentally friendly!

        Very true, someone did a full "Total cost analysis" on electric and hybrid cars vs keeping your old car, and it turns out that it it was more environmentally unfriendly to buy the electric/hybrid car vs keeping your old one (Especially the electric, due to the apparently really environmentally destructive mining of lithium for the batteries).

        Apparently you also had to do a stupidly high number of miles a year (for a decade or more) in order to break even on environmental footprint for the.

        I cannot for the life of me find the report now, but it was very interesting reading.

        1. Anonymous Coward
          Anonymous Coward

          Re: Now ask me why ...

          "I cannot for the life of me find the report now, but it was very interesting reading."

          Did you perhaps see this on an old episode of Top Gear with the "hilarious" Clarkson, "Captain Slow" and the "Hamster"?

        2. Anonymous Coward
          Anonymous Coward

          Re: Now ask me why ...

          it turns out that it it was more environmentally unfriendly to buy the electric/hybrid car vs keeping your old one (Especially the electric, due to the apparently really environmentally destructive mining of lithium for the batteries).

          The entertaining part is that that also has an as yet unused positive byproduct: thorium, which can be used to make far safer nuclear power plants than the current uranium based ones. I am well aware that what you have access to online is probably rather seriously biased, but from my reading so far there is but one argument that keeps thorium out of the picture: it doesn't generate weapons grade plutonium and lots of waste as a byproduct so there are no truckloads of money earned (as a matter of fact, thorium reactors can help reduce the waste pile).

          This flags up a very interesting question: is this maybe why China switched to exporting only the finished product instead of the raw ore?

          My feeling is that (based on what I have read so far) if thorium reactors were to become mainstream due to their inherently more safe failure mode and their far lower complexity, the balance would definitely shift to electric cars - basically to switch anything possible to electric.

          That is, if some assholes don't nick the cables first for the copper.

          1. Charles 9 Silver badge

            Re: Now ask me why ...

            "The entertaining part is that that also has an as yet unused positive byproduct: thorium, which can be used to make far safer nuclear power plants than the current uranium based ones."

            Wanna bet? The thorium cycle produces Uranium-233. VERY weaponizable. Can't rule out a state being desperate enough to extract it. Not to mention U-233 is a real problem in cleanup time, as it's even MORE problematic than Pu-239.

      4. Christoph Silver badge

        Re: Now ask me why ...

        "You don't want to be allowed in Central London anymore when the new pollution measures come in?"

        They will have to allow older cars into London on the first Sunday in November. Much older cars. They will be extremely unpopular if they bugger up the London to Brighton Veteran Car Run!

      5. jake Silver badge

        Re: Now ask me why ...

        I tube/walk in central London, ta you very much. If I need other transportation, I'll use the two wheeled variety. The tree-fern powered bikes are also all pre 1970. But thanks for asking.

        What costs more environmentally: Building from scratch and then driving a brand new vehicle 100,000 miles, or restoring an older vehicle with modern enhancements & driving it 100,000 miles? I honestly don't know, but I've been told that recycling is good for the planet since I were a nipper ...

        Besides, they truly don't make 'em like they used to ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Now ask me why ...

          "Besides, they truly don't make 'em like they used to ..."

          Remembering the Leyland rust buckets of the 1960/70s.

          1. Anonymous Coward
            Anonymous Coward

            Re: Now ask me why ...

            "Besides, they truly don't make 'em like they used to ..."

            Remembering the Leyland rust buckets of the 1960/70s.

            or Ladas :)

          2. d3vy

            Re: Now ask me why ...

            "Besides, they truly don't make 'em like they used to"

            That's not always a good thing...

            Safety has improved massively over the years. For both occupants and pedestrians: as an example on detecting a pedestrian impact my bonnet pops up on springs to provide a cusioned surface for them to hit. The interior is full of air bags and I won't be impaled on my steering column.

            I wonder if I could up rate the springs and launch them into low orbit...

        2. Rainer

          Re: Now ask me why ...

          It's not too bad.

          https://en.wikipedia.org/wiki/Embodied_energy#Embodied_energy_in_automobiles

        3. 404 Silver badge

          Re: Now ask me why ...

          'Besides, they truly don't make 'em like they used to ...'

          True, due to the crapplastic plastics car manufacturers used - However, I've found you can 3D print the fiddly bits of plastic/metal that are superior to the original. Good Times.

      6. Ellipsis
        Trollface

        Re: Now ask me why ...

        > there is no way anything older than approx 10 years is as good environmentally

        Oh, I dunno. No catalytic converter ⇒ less CO₂ emission…

        1. Anonymous Coward
          Anonymous Coward

          Re: Now ask me why ...

          "Oh, I dunno. No catalytic converter ⇒ less CO₂ emission…"

          No catalytic converter ALSO ⇒ more CO emission.

          It's pretty much a no-win situation. You can either have a odorless toxic gas or a greenhouse gas. At least CO₂ is supposed to be good for plants...

      7. tiggity Silver badge

        Re: Now ask me why ...

        At least the old car is more likely to be petrol than diesel, so less crud pumped out than many a new diesel

      8. Yugguy

        Re: Now ask me why ...

        "You don't want to be allowed in Central London anymore when the new pollution measures come in?"

        I'm fine with that.

  6. PTW
    FAIL

    “identity management for devices is best served when it's centralised.”

    Because that's what we all need, to be linked to our IoS [cars] via a central database. I can't foresee any problems there.

    How about a "factory reset" does just that? Or better still stop effing connecting stuff to the net that has neither reason nor need to be there.

    1. Mage Silver badge
      Big Brother

      Re: “identity management for devices is best served when it's centralised.”

      Till hackers download the entire central database.

  7. Anonymous Coward
    Anonymous Coward

    Sigh

    It just goes to show that a jammer is no longer a luxury :(.

  8. frank ly Silver badge
    Holmes

    Puts my deerstalker on

    "... the vehicle nearly always outlives its first owner."

    Perhaps the 'new car smell' has become a slow poison.

  9. P. Lee Silver badge

    Second-hand cars not safe?

    I see the entire car industry weeping huge tears as they glide to the edge of the river and sun themselves on the bank.

  10. Duncan Macdonald Silver badge

    Factory reset - default passwords and security

    The factory reset may well be wiping all the customisations and resetting the security - however it is probably also going to reset the access ccodes/passwords/security tokens to the original values. If the original owner did not change them (if possible) on purchasing the car then any of his/her apps that had remote access to the car would still work. For a pre-owened car with remote access to be secure REQIRES the new owner to immediately change the access codes etc or to disable the remote access (eg by removing the antenna or wrapping it in foil).

    1. Known Hero

      Re: Factory reset - default passwords and security

      Considering it is connecting over the net it should be assigning a new certificate to each device authorised to communicate with the car. and upon a factory reset, just remove all the certificates.

      I cannot see why this is such a complex task ??

      1. Pascal Monett Silver badge

        Re: "I cannot see why this is such a complex task"

        It is not a complex task, it is a task the IoT makers DO NOT WANT TO DO.

      2. Charles 9 Silver badge

        Re: Factory reset - default passwords and security

        Because it doesn't make them money. They don't make money in secondhand sales most of the time, and as for costs associated with lawsuits, they figure their lawyers will let them dodge most of them.

    2. creepy gecko
      Coat

      Re: Factory reset - default passwords and security

      ..."immediately change the access codes etc or to disable the remote access (eg by removing the antenna or wrapping it in foil)"...

      A tin foil hat for the car?

  11. Anonymous Coward
    Anonymous Coward

    Fortune 500

    "even Fortune 500 companies have trouble managing access and identity revocation properly."

    Not the one I used to work for though. Best IT infrastructure I've ever seen, by a nautical mile and three chains.

    1. Korev Silver badge

      Re: Fortune 500

      Which company and why was it so good?

      Also, had they outsourced and/or offshored?

  12. John H Woods

    Doesn't have to be smart ...

    ... I've had numerous hire cars where the phone book still has other people contacts in, and the GPS still has "home" in it.

    1. John Brown (no body) Silver badge

      Re: Doesn't have to be smart ...

      ...and I forgot to wipe my mp3's from the cars internal player when I handed back the last company car and got the new one. On checking the new one, (same car, newer model), there didn't appear to be a way to wipe the internal memory other than one track at a time anyway. The contacts in the phone pairing would only be company contacts anyway and the car got redeployed elsewhere in the company so I'm not worried, but it is something I forget to check at the time.

  13. CheesyTheClown

    Pretty sure it's brand dependent

    BMW makes it nearly impossible to connect to your own car. In many cases you can't even connect to a car you properly own. I'm pretty sure that their system which is paranoid strict about device connectivity won't let the new owner connect unless the old owner first releases it.

  14. Voland's right hand Silver badge

    to quote him, “identity management for devices is best served when it's centralised.”

    to quote him, “identity management for devices is best served when it's centralised.”

    Bollocks. What an idiot. Just the opposite. Run a CA on the car and have a "regenerate car certificate procedure" or "revoke all old keys" procedure.

    1. Any device can be a smart lock/unlock - key, phone, you name it. Provided it can do STRONG crypto. The mere fact that you have managed to establish a connection means that you are legit. No pins, no passwords, no keys. Client cert, server cert. Most basic public key cryptography. Nearly all devices of interest (phones, etc) on the market have TPMs so the key cannot be stolen/recovered without access to NSA level resources to do direct surgery on the chip.

    2. The "centralized identity management" does not belong. Sorry, any backdoor is a hackable backdoor. I do not see the rationale for using a weak, crippled and backdoored solution when you can run a strong one. It does not matter which brain rotting disease is at play "realtime embedditis - roll your own crypto" or "web 2.0 oAuthitis - use a token everywhere". There is no technical need for either.

    3. The compute resource available in a normal car can run a proper CA. Running a cut-down one just to manage keys for for devices and their associated permissions is a trivial job.

    The only potential role for a centralized point is to be a locator, the auth should still be completely in the OWNER's hands, not be rented out to a central identity management racketeering outfit.

    1. Charles 9 Silver badge

      Re: to quote him, “identity management for devices is best served when it's centralised.”

      Except what if you willingly or are coerced to give up your credentials, INCLUDING your certs?

      1. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    Consumables

    "The problem is pretty obvious: much of the industry is treating products as consumables, and any attention that's paid to security is focussed on the first buyer."

    This has ALWAYS been the problem. The consumer model is broken because vendors only ever consider their own leg of the product lifecycle - sourcing components and materials from suppliers, and selling the product to consumers. Often no thought is put into where the raw materials actually come from, nor what happens to the product when it becomes waste after the end consumer finishes with it ... which has long led to serious environmental and social consequences which capitalist society does its best to ignore.

  16. Zippy's Sausage Factory
    Unhappy

    “Educate end users” has been a staple of the IT sector for decades. If it was going to work, we'd surely have evidence by now.

    That. Is. Depressing.

  17. Custard Fridge

    Fingerprint readers

    I suggest fingerprint readers that enable & encrypt this level of data owner by owner.

    No live finger print - no apps.

    There would be a service / valet key as required - but apps / settings would only be enabled by the fingerprint reader. Perhaps the ignition key does what it does now, and the fingerprint does the rest.

    The reader scans several fingers for each driver as part of the setup in case of chopping board injuries, and scans for a pulse to make sure someone hasn't done something gruesome.

    Those who want to avoid apps on their car entirely, seeing apps as truly the work of the devil, only use the service key and never the fingerprint reader. This turns the object into a car again.

    The majority, who will want apps, use the fingerprint reader.

    Something will need to evolve because once the driver has bags of time because the car drives, they will want connections / apps to do work / leisure in the car. Those who only use the valet key will install a library shelf for books to read during traffic jams.

    When you sell the car & key you can wipe your settings / fingerprint entirely (perhaps with combined use of the service key and your fingerprints) or trust that the encryption level will be good enough to keep hackers out. Those with a different mind-set will not think about it anyway and still get the same result.

    By the time the iPhone 100 can hack the encryption level of your one-time car, you should have changed passwords anyway, or indeed be dead and not caring as much.

    1. Charles 9 Silver badge

      Re: Fingerprint readers

      And what about gummy fingerprints and frog marches?

  18. russell 6

    The criminals are already using this weakness

    I know directly of 2 examples near me, somewhere on mainland Europe. Both people bought late model BMW's secondhand from Germany. Within 24hrs, one of them had been pinched from inside the guy's garage. It seems they hide a gizmo in the car to clone the signal for automatic garage doors which can then be operated remotely. Whoever did it had full access to the car, despite the owner having both car keys. The 2nd had his car pinched off his driveway 2 days after driving it home from Germany. I bet those 2 cars have been sold and stolen by the same people many times

    1. Charles 9 Silver badge

      Re: The criminals are already using this weakness

      "It seems they hide a gizmo in the car to clone the signal for automatic garage doors which can then be operated remotely."

      Hmm? But don't most garage door systems use rolling codes these days?

      1. russell 6

        Re: The criminals are already using this weakness

        I don't know the in's and out's or rolling codes in rolling garage doors. As you said, most doors use rolling codes, which means not all. And the codes are only as strong as the firmware which is generating them. Could the crims reverse engineer the firmaware and find some sort of master code which is never part of the rolling code? I don't know. I just know that most stuff is hackable these days, in fact everything is hackable, given enough time and resources. No I'm not a techie, I'm just interested in tech, which is why I come to Reg

        1. Anonymous Coward
          Anonymous Coward

          Re: The criminals are already using this weakness

          Rolling codes is perhaps the most common system nowadays, but there are probably some ancient ones around that still use the same signal every time, which can be recorded and retransmitted, and there are some garage doors that have gone beyond rolling codes, such as Hörmann BiSecur, which, as the name suggests, uses bidirectional communication with crypto.

  19. Eddy Ito Silver badge

    They car should automatically delete any old 'key' or paired device when a new one is entered. If you want to sync multiple devices there should be a small temporal window where all devices need to be present to check in. Any other method simply means that when you drop your car off with the valet or mechanic or whatever the car is exposed to being connected with any number of devices beyond your control and without your knowledge. There's no need for the car to be second hand, all that's needed is access.

  20. Korev Silver badge
    Big Brother

    Hire cars

    If it's this hard for buying/selling cars to get the firmware wiped etc. what on all earth happens with rental cars?

  21. Simone
    Joke

    Ahh... wifi

    An old story, 2015, but here is a reason to connect vehicles to the internet. Brilliant!

    https://www.nctx.co.uk/2015/04/brand-new-buses-on-south-notts-launched-with-smart-paint-technology/

    1. Anonymous Coward
      Anonymous Coward

      Re: Ahh... wifi

      No doubt one day technology will actually make all that possible. IIRC some of the similar technology spoofs from many years ago did eventually appear viable as research progressed.

  22. Lion

    Smart Lusers

    What about a smart car that gets stolen? I guess they can be more easily located by an app. if you do not start disabling stuff. Then again the odds are high it is already in a chop shop or on a boat to some third world country. If my car got stolen I'd reset all that I could, asap. I would not expect law enforcement to have a process for a stolen smart car that is different from a non-smart car. I'd just ask for the police report for insurance purposes. Then there is the insurance company - liability clauses!!!

    Who was the genius who determined that smart cars are a user benefit ? Seems the benefit got misplaced.

  23. nilfs2
    Childcatcher

    Newer cars are far more dangerous...

    ...not because they are plastic vs metallic, but because the interior is isolated from the outside so the driver have no clue whats going on outside it's car bubble, and have all kinds of electrical gadgets to keep the driver distracted. All cars should need to be shift by double clutching like old non-synchro gearbox trucks, that way the driver don't have a chance to pick the damn phone and get distracted.

    1. Charles 9 Silver badge

      Re: Newer cars are far more dangerous...

      You underestimate the perceived skill level of the average driver (as in they always rate themselves a 10 out of 10). Heck, some of them probably wouldn't be scared of a spike in the steering wheel. Besides, what if you crash WHILE switching gears?

  24. d3vy

    Surely this needs to no more complicated than every now and then the car popping up an alert on the dash saying "I've still got these devices with valid access tokens, do you want to keep them? Ok so that gives a window where it might still work but if it's once a month that's not too bad.

    Or it could do it when you pair a new Bluetooth device "got a new phone? Do you want to deal register the old one?"

    Mercedes do an add on "my mercedes" that you can buy and retro fit to my car, it's a plug in module so when you sell the car you can remove it, or the new buyer can unplug it and get a new one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019