A 20-year-old was arrested and charged with computer intrusion in Austin yesterday for allegedly using stolen website credentials to disable as many as one hundred cars. The affected vehicles had a remote immobilization system installed and belonged to customers of his former employer, Texas Auto Center.
At the end of last month, Texas Auto Center started receiving isolated reports from customers who claimed their cars suddenly failed to start or started honking randomly in the middle of the night. After receiving more than a hundred similar complaints, the dealership realized that was more than coincidental mechanical failures and began looking into other possibilities.
The source of the troubles was eventually tracked down to a Web-based service called WebTeckPlus, which can be used to "remind" customers that they are late on their car payments. The solution is developed by a company called Pay Technologies and involves using a specially-designed smart box to set off a vehicle's horn or disable its ignition system remotely. "It is a controller that allows you to disable the starter function of the vehicle in the case of delinquent payments," the company explains.
When checking their WebTeckPlus account, Texas Auto Center noticed that someone had been messing around with the information and vehicles of their customers. A subsequent server log analysis revealed the attacker's IP address and led authorities to 20-years-old Omar Ramos-Lopez, a former dealership employee who was let go in February.
Martin Garcia, manager of Texas Auto Center, told Wired that Ramos-Lopez used a former coworker's account to access the system, because his was disabled when he was dismissed. As a precautionary measure, the company reset the WebTeckPlus passwords for all of its employees.
Meanwhile, Jim Krueger, one of Pay Technologies' owners, noted that cars most likely did not start honking in the middle of the night, since this feature cannot be activated after 9 p.m. and before 9 a.m. Additionally, a car's starter can only be disabled if the vehicle is stationary and between hours selected by the car dealer.
Most computer intrusion incidents involving disgruntled ex-employees are made possible by companies failing to revoke credentials when dismissing personnel. However, this story stands proof that sometimes taking such measures might not be enough.
Last year, we reported that a former IT consultant deleted 10,000 accounts from a computer system belonging to Australia's Northern Territory Government. He was able to access the system months after he resigned with the password of an ex-coworker, with whom he shared an apartment. Periodically issuing employees with new access codes might be more cumbersome, but may help avoid later incidents, which can prove costly to mitigate.