Jilted fired employee abuses remote repo system

Standard

A dealer is selling autos equipped with a system called Webtech Plus that can let them disable cars or trigger their alarms from the comfort of their showroom when the owners miss payments. What could go wrong?

Some customers complained of the horns going off in the middle of the night. The only option they had was to remove the battery.”

The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle.

Texas Auto Center began fielding complaints from baffled customers the last week in February, many of whom wound up missing work, calling tow trucks or disconnecting their batteries to stop the honking. The troubles stopped five days later, when Texas Auto Center reset the Webtech Plus passwords for all its employee accounts, says [Texas Auto Center Manager Martin] Garcia. Then police obtained access logs from Pay Technologies, and traced the saboteur’s IP address to Ramos-Lopez’s AT&T internet service, according to a police affidavit filed in the case.

Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.

“Omar was pretty good with computers,” says Garcia.

The incident is the first time an intruder has abused the no-start system, according to Jim Krueger, co-owner of Pay Technologies. “It was a fairly straightforward situation,” says Krueger. “He had retained a password, and what happened was he went in and created a little bit of havoc.”

Krueger disputes that the horns were honking in the middle of the night; he says the horn honking can only be activated between 9 a.m. and 9 p.m.

via Hacker Disables More Than 100 Cars Remotely | Threat Level | Wired.com.

No Mr. Garcia, Omar wasn’t good with computers, Texas Auto Center is bad with computers. This car dealer didn’t manage and/or monitor its user access. The former employee accessed the system from the comfort of his own home. Also troublesome, is that any employee that had access to this remote repo system was able to deactivate customer autos or turn their cars into personal harassment machines. There were no checks and balances built in to this terribly intrusive system.