The dangers that come with buying pre-owned IoT devices

When you buy a second-hand connected car, can you be sure that it is not still not reachable by its former owner? Similarly, when you sell your own connected car, how can you be sure that it will not leak the personal information you fed it to the next owner?

buying pre-owned IoT devices

What could go wrong?

Charles Henderson, Global Head of IBM’s X-Force Red, told the RSA Conference 2017 crowd about his own experience when selling a much loved convertible car.

When he traded the car back in to the original factory dealership and bought a new one, he made sure to perform a factory reset on the old one so that none of his personally identifying information remained in its computer systems, as well as de-authorize all accounts (reset the Bluetooth, garage door openers, etc.). And the dealer made sure that all keys issued to the care were surrendered at the time of sale.

Still, two years later, his old car was still listed on the app he used to remotely interact with it – he could still “reach out” to his old car and make it do things (climate and navigation control, remote unlock, geolocation info).

Possible solutions

His experience made him think about all the things that are currently wrong with how the automotive industry handles identity and access management. Access revocation can be difficult to properly implement, he says, and financial incentives for automotive manufacturers are first owner centric.

A centralized, cross platform system seems like the right way to go about access revocation, he says. Making it easier to track ownership of connected cars is also a must for retaining users’ trust in technology.

Henderson says that the automotive industry and other industries creating IoT devices should take a page out of the mobile (phones) industry’s approach to access revocation, and develop a solution that predictably and reliably resets connected devices to a factory-like condition.

Standards should be created for factory reset of smart functionality. Access revocation procedures should be intuitive and obvious for users, and users should be made aware of the fact that the option exists, and why it’s important for them personally to take advantage of it when they sell their old or buy second-hand connected devices. Manufacturers should consider providing “guides for second owners” and “sale preparation guides” for smart technology.

But at this point, he argues, consumer awareness is key. They should demand better security by informing themselves about the implications of using connected devices, asking manufacturers and sellers about methods to revoke access by former owners (before they actually buy the device), and how to securely wipe the devices they mean to sell on.

RSA Conference 2017

Don't miss