Top Internet of Things Daily & Weekly

IoT devices leak previous owners’ data

#IoT devices leak previous owners' data  #infosec #cybersecurity

  • Security researchers have revealed that some IoT devices and connected cars survive being purged when exchanged and leak sensitive information.
  • In a speech at the RSA Security conference, Henderson revealed that despite selling a car years ago, he still knew where it was because there was no process in place to unhook connected car apps from former owners.
  • Despite leading X-Force Red, IBM’s security testing group, Henderson wasn’t even researching car security when he discovered the major privacy issue.
  • It was obvious that whoever had purchased my old car had not enrolled it in the mobile app,” Henderson wrote on his security blog.
  • An IBM Security survey revealed that consumers were least worried about protecting car navigation data (8 percent), home devices (10 percent), and connected cameras (16 percent), compared to 64 percent who cared about their mobile devices.

Security researchers have revealed that some IoT devices and connected cars survive being purged when exchanged and leak sensitive information.

@IoTTechNews: #IoT devices leak previous owners’ data #infosec #cybersecurity

(Image Credit: iStockPhoto/loongar)

Security researchers have revealed that some IoT devices and connected cars survive being purged when exchanged and leak sensitive information.

The risk posed to connected cars from skilled hackers is well-documented. Among the most high-profile hacks so far was that of Jeep where researchers hacked a vehicle and took full control of it from controlling the radio to cutting its transmission. Preventing attacks from highly-skilled attackers is an ongoing fight, but at least few have the knowledge to replicate it.

What’s terrifying about the findings of IBM researcher Charles Henderson is that sensitive data can persist after a car is “wiped” and be accessed by any individual. In a speech at the RSA Security conference, Henderson revealed that despite selling a car years ago, he still knew where it was because there was no process in place to unhook connected car apps from former owners.

Despite leading X-Force Red, IBM’s security testing group, Henderson wasn’t even researching car security when he discovered the major privacy issue. He went through a process many will in their lifetime of having kids and trading in their convertible for a more family-orientated car. Being a security researcher, he ensured all data was deleted before handing over the keys including resetting the phone book, removing all connected devices, and resetting the garage door opener.

The dealership went through its own procedures to ensure all keys were handed back over and Henderson noted they also checked all personal information was deleted from the vehicle. After receiving the new car, Henderson noticed his old car was still listed in the management app for the unnamed manufacturer’s vehicles.

“Over time, I began to realize that the car wasn’t going to expire. Days went by, then weeks, months and, eventually, years. It was obvious that whoever had purchased my old car had not enrolled it in the mobile app,” Henderson wrote on his security blog. “This is where my curiosity kicked in — were manufacturers only designing IoT functionality for the first owner because that’s where their revenue comes from?”

He details another case where his colleague in X-Force Red bought a home automation hub and even after performing a factory reset he saw a device that was not his own. After going back and forth with customer support they removed the other account but asked whether he’d also like to delete a second user that manages his device, which he could not even see in the management settings. This is another case of an IoT company not designing security beyond the initial user.

During the same conference, Kaspersky published their findings on seven Android-based connected car apps. Six of the applications did not encrypt usernames and were susceptible to reverse engineering techniques or hijacking by malware. “An evildoer can covertly and quickly perform all of the actions in order to steal a car without breaking or drilling anything,” wrote the researchers in a paper.

An IBM Security survey revealed that consumers were least worried about protecting car navigation data (8 percent), home devices (10 percent), and connected cameras (16 percent), compared to 64 percent who cared about their mobile devices.

The findings of both Henderson and the Kaspersky team yet again highlight the need for an improved focus on IoT security and the need for it to extend beyond the initial user. Consumers also need to be more wary about the data their vehicle contains, and put more pressure on manufacturers to ensure it’s protected.

What are your thoughts on the IoT security research? Let us know in the comments.

IoT devices leak previous owners’ data

Comments are closed, but trackbacks and pingbacks are open.