I'd suggest that any way you get around a given system has hack value. As someone else mentioned: social engineers have been called "hackers" before.
When I was doing penetration tests a decade ago, some of my best client engagements required little technical skill to gain access to some of the most prized data on the network (HR, Payroll, access to update the website). You'd be surprised how far you can get in many organizations without exploiting a single software or technology weakness.
It wasn't likely to be so much "poor security" as it was likely to be a weakly protected account: a shared ID for everyone or credentials sitting in plain view.
What isn't "poor security" about "a weakly protected account: a shared ID for everyone or credentials sitting in plain view."
When access to other people's stuff is controlled by a given account, unless that there is good protections on every level, you're in trouble, you have poor security.
You implied blame at the provider level. We might as well run a headline saying "Security flaw to blame for rash of area burglaries" when said security flaw was the failure to lock the front door.
I would consider what this 'hacker' did a service to humanity, because now I know that something much more evil than him exists, namely this:
a small black box under vehicle dashboards that
responds to commands issued through a central website,
and relayed over a wireless pager network.
That's horrible! Why isn't wired concentrating on that aspect of the story? That's the story. That some hacker used it to have some fun honking horns is beside the point.
If I found out something like that existed in my car, I'd be livid!
EDIT: from the comments I see it's for derelicts who agree to have it installed. hmph. note to self: calm down
Derelicts or not, this system is plain evil: it teaches us that stuff we buy is less and less really ours.
We can't hack on stuff, we can't repair stuff, we should use stuff only the way we're supposed to, and now only when we are allowed to. The funniest thing is that we praise "private property"...
When I first read it I instantly assumed OnStar had been hacked, then I thought it would suck to get that black box thing installed, then again, then again, OnStar could do even more damage if compromised wouldn't it?
FWIW, the chances of someone hacking my OnStar are far less then me having to use it I lock myself out of my car or if my car is stolen, in either case OnStar is a huge help. I think I'd be willing to forgive them
These systems have come a long way since I last looked in on this technology.
When I lived in Detroit the Mel Farr autogroup has a system (that I believe was semi-proprietary/in-house design) that they would install on high-risk loan vehicles. It was activated over a pager network and would allow them to remotely disable the starter on a vehicle if the weekly (yes, weekly) payment hadn't been made in time.
It was not an uncommon occurrence to hear of of see vehicles that were left running 24/7 until the owner could scrape up enough cash for their payment. The system at that time only disables the starter, so once the car was running you were good as long as you didn't shut it off.
Obviously the maturity of this system has come a long way since that time (1996ish).
This is not a standard car feature, it's added specially for people who are a poor credit risk, allowing the creditor to remotely disable the car if they don't pay.
Most car alarms, engine immobilizers, etc. can be defeated in about a minute by an expert, as shown many times by pretty much every car magazine out there. But they are still installed because the average thief does not have this knowledge. I think the same principle is at work here.
Where do we draw the line? If the only way for you to get a loan was to sign over the right to have your family abducted and held for ransom, would that be OK? Why is that not OK, but having the car honk at your neighbors all night is?
Most auto Stealerships are just using the same old broadband that home users have, with dynamic DHCP IP addresses.
As for the provider? I wouldn't likely blame them. It was likely that several dealerships may have set up one shared account on the system for everyone to use, or that someone left the password written or printed out in plain view. These things happen. All. The. Time.
While ip address restriction isn't foolproof, it would have probably stopped this "hacker" from gaining access. And the article says this guy was pretty good with computers?!?!? If he was, then he'd have covered his tracks better.
One person's definition of good with computers is another person's definition of a script kiddy. :) I was called "good with computers" just because able to modify the toolbars in Word 97. (Not to mention knowing html!)
It gets worse. I had an acquaintance in junior high (long time ago) who found out that I was a computer programmer. One day he asked me to come over to his house and "program" his parents' computer. I thought it was cool that he wanted help learning how to program.
When I got there, I found out what he really wanted was to have someone install Quicken for Windows for him. I did the dance of clicking "Next" a bunch of times, and his parents were amazed. I tried explaining that that's not what "programming" means, but it apparently didn't stick. The next week, he called me up just to brag that he had learned how to "program" computers too, and how he must be smarter than me because it took me so long to learn how to program.
Is it really legal to install something like that on a customer's car without their knowledge? Or did the customers willingly submit to that deal? Over my dead body would I let someone put a remote-operated controller with web access into anything I own. (Hence I'm not going to buy an iphone or a kindle that you use at the pleasure of the corporation...)
This is worse though, it's like the physical manifestation of malware!
This is definitely agreed to by the customer. These are the "sub-prime" of used car dealerships. Charge 30% interest rates, accept weekly payments for people with bad credit, and Lojack their car if they don't pay up.
Wow... I'm more concerned that car dealers are actually installing boxes like this in cars.
Just another reason why I prefer the older cars from the 90's where they don't have hundreds of miles of wiring and eight layers of plastic above the engine to prevent maintenance.
In Other News: Real hackers will now be monitoring pager communications for the signals sent to these cars and do it themselves without the company website.
This possibility is made even more likely by the inconvenient fact that pager networks are unencrypted. It basically amounts to a gentleman's agreement between service providers that pages sent by one provider's customer do not accidentally appear on the device of another provider's customer.
When I read the headline, that's more along the lines of what I was expecting in this story.
I learned long ago to take the default position that any given system is overwhelmingly more likely to be insecure than secure, unless it or one like it has already been hacked and exposed in a well-publicized, highly embarrassing/costly situation. And even then it's more likely to be insecure than reasonably secure.
I keep waiting for remote shutoff systems like the one discussed in the article, OnStar and the ones law enforcement has oft-proposed to be blown wide open.
He logged into the web interface from home using a password.
The better headline would have been "Poor Security Allows Disgruntled Employee to Disable Over 100 Cars Remotely."