10 Jul 2017
The subprime auto industry is notorious for predatory sales practices. That’s not to say that all sub-prime auto dealers take advantage of people, but when someone has to choose between accepting a high interest rate on a car or not being able to go to work there’s the opportunity. In fact, subprime auto dealers sell cars to people who default on their payments so often that they’ve found new ways to repossess cars without ever having to send out the repo man. While repossessing a car can be necessary, this growing method could lead to debilitating cybersecurity attacks for dealers and customers.
When a cell phone or water bill goes unpaid, the service is shut off and the customer has no choice but to pay their bill. When a car payment is never made, a repo man has to be sent out to find the car and bring it back to the dealer. Of course, owners who don’t want to lose their cars will make that as difficult as possible by hiding the car or even attacking the repo man. Subprime auto dealers are finding a way around that by installing onboard shutoff devices in all their cars. Just like a cell-phone, if you don’t make your car payment your car will not turn on, but that’s not all these devices do. Many come with GPS trackers so if the car is repossessed it can be easily found and the device will even warn the owner if they have a payment coming up or are overdue. No one wants to have their car controlled by someone else, and people especially don’t want someone tracking them at all times, but auto dealers defend these devices by saying they allow them to sell cars to people who wouldn’t be able to purchase one with their poor credit.
Then, of course, there’s the cybersecurity aspect.
No matter how you feel about shut-off devices, you can’t deny that they’re a cybersecurity liability. Despite what the manufacturers say, the remote connections to the shut-off devices are vulnerable. All it would take is a hacker to sniff the signal or hack into the dealership and they have control over every car with a shut-off device. Now, you might think that this is all just paranoia and what if, but this actually happened. The Texas Auto Center in Austin, Texas had the classic “good credit, bad credit, no credit” sales pitch. Accordingly, they sold several cars with shut-off devices installed. Their system ran smoothly until one day they received several complaints about malfunctioning cars despite payments being on time. For the next couple of days more and more complaints came in until there were over a hundred people whose cars wouldn’t work or would suddenly honk in the middle of the night until the battery was disabled. The answer to their problem was a disgruntled former employee. The employee knew the inner workings of the shut-off device system, so he used a co-worker’s login information to access the system and wreak havoc. But this was back in 2010, before cars were as reliant on computers as they are now. Can you imagine what a hacker could do today?
Today, car dealerships deal with computers as much as they do engines, and with the capabilities of hackers, there is no room for cybersecurity vulnerabilities. Now auto dealers have a choice to make, either take their cybersecurity seriously or lose to trust of their customers. The good news is that there are cybersecurity firms who specialize in dealership cybersecurity that will make the transition from unsecure to secure simple and painless, but first dealers must decide that they won’t be vulnerable.