When Charles Henderson traded in his beloved convertible four years ago, the dealer made sure to collect the car keys, but he couldn’t take away Henderson’s digital access.
A security expert at IBM, Henderson knew to protect his private data, so before he waved goodbye to the car, he deleted his personal information from the built-in digital systems that guided him home via GPS, opened his garage door, and dialed up the friends in his phone book. The dealership also double-checked to confirm that he had made many of these moves, he says.
But Henderson later noticed that his old car remained listed—next to his new vehicle—on the smartphone app he used to control it (his new car was from the same manufacturer as his previous one). If he wanted, he could still remotely unlock the doors, find the car’s exact location, and control the heat and air conditioning. He figured his access eventually would be cut off, but years passed and nothing happened.
“If I was so inclined, I could have a lot of fun with the new owners of this car,” he said during a presentation at the RSA security conference in San Francisco in February.
Henderson, an expert in information technology security, will not reveal the exact make and model of his “post-2008” convertible. He says that the problem spreads well beyond that one automaker and that he and his team of IBM researchers have found three more vehicles from different manufacturers that have the same problem. That amounts to a “catastrophic failure,” he says.
This type of threat is not confined to just cars. It also might put at risk the millions of connected door locks, thermostats, lighting systems, and other “smart home” products installed in residences for sale in the U.S.
“There’s no software you can buy that wipes your car, and there’s no reset button anywhere in your house,” Henderson says. “And that’s a problem.”
Henderson’s appearance in San Francisco was the latest stop in a storied career that…