Honk If You’re Hacked

by Rich

Thursday, March 18, 2010 at 08:24 PM EDT

I’m actually quite surprised I haven’t seen a story like this before. According to a post on the “Threat Level” blog at Wired, a disgruntled former employee of Texas Auto Center, in Austin TX, managed to disable about 100 cars of the firm’s customers, using a Web-based system that was intended to be a sort of electronic “Repo Man”.

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

The system, called WebTeck Plus, is supplied by a company called Pay Technologies, uses a small electronic control box installed in the vehicle to allow an authorized user of the Web application to disable the car’s starter, or honk the horn. The central system communicates with the in-car control box via a wireless paging signal. The security on the Web site appears to be a standard userID / password login.

According to the article, the former employee’s account had been removed when he was terminated by Texas Auto Center last month, but he apparently knew or guessed another employee’s password. He was initially disabling customer’s cars one at a time, but then apparently discovered a data base of customer data, and began larger-scale operations. At one point he had managed to affect more than 100 cars. The immediate problem was finally resolved when someone at Texas Auro Center had the wit to change all of the passwords for the Web application.

The security provisions for this system are so lax as to be laughable. The vendor claims this is the first time the system has been abused, but I would be willing to bet it won’t be the last. This incident also makes one wonder how well other aspects of the system are designed: could someone generate a bogus wireless signal to the car controllers, for example?

Occasionally one sees suggestions that systems should be installed on vehicles to allow stolen cars, or the cars of fleeing fugitives, to be remotely disabled by the police. Incidents like this one should remind everyone that it is very easy to get this sort of thing wrong — and the consequences could easily be worse than having one’s horn honking at night.