SAN FRANCISCO—When you sell a car, typically the new owner gets the keys to the car and the original owner walks away. With a connected car, Charles Henderson, global head of X-Force Red at IBM Security, found that the original owner still has remote access capabilities, even years after the car has been sold.
Henderson revealed his disturbing new research into a previously unexplored area of internet of things (IoT) security at the RSA Conference here on Feb. 17. In a video interview with eWEEK, Henderson detailed the management issue he found with IoT devices and why it's a real risk.
"As smart as a connected car is, it's not smart enough to know that it has been sold, and that poses a real problem," Henderson said.
The problem is that when a new device or connected car has services provisioned, there is typically some form of mobile app and then there is a cloud back end that provides management. While users are easily able to delete an app from their mobile device, IBM Security found that the cloud piece isn't as easy to delete and user access for devices that individuals no longer own is still held in systems for weeks or even years after a device is resold to second user.
IBM Security found flaws in the revocation of user access for both car vendors and consumer electronics vendors. Henderson declined to specifically identify the vendors as he said the issue was "pervasive" and his goal is to first raise awareness of the issue.
Getting the cloud management piece of IoT fixed is no easy task for a number of reasons.
"Revenue doesn't flow from the second owner to the IoT vendor," Henderson said. "There is no incentive to protect the second user.
"I don't claim to have the identity access management silver bullet, but we can do a lot better than we're doing in the consumer electronics space," he added.
Watch the full video interview with Charles Henderson below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.