backtop

Print 59 comment(s) - last by HrilL.. on Mar 29 at 2:52 PM

Over 100 customers of Austin, Texas-based Auto Center had to pull their batteries or call tow trucks after a wireless immobilization system backfired. The incidents turned out to be the work of an angry former employee.  (Source: Diesel Power)
Man currently faces cyber intrusion charges in Austin

Over 100 drivers in the Austin, Texas area were surprised to find their cars beeping or refusing to start.  The culprit was a miscreant mechanic, 20 year-old Omar Ramos-Lopez, who had recently been canned from his local Auto Center.

In Texas, Auto Center dealership sell autos to consumers with troubled credit, but they install a system called Webtech Plus in their cars as an alternative to repossessing vehicles of customers who miss payments.  The system can either make the car unable to start or can set the car's horn beeping non-stop.  The system is powered by a small black box under the hood, which receives wireless signals from operators at Cleveland-based Pay Technologies.  Reportedly the system is extremely safe and it is unable to stop moving vehicles.

In the last week of February, Auto Center began receiving complaints from customers who had been making their payments, but couldn't start their cars.  Many customers had to remove their batteries (to prevent the honking), call tow trucks, and cancel appointments.  When Auto Center reset its password system the troubles stopped.  The company was later able to trace the commands to an AT&T account owned by Ramos-Lopez.

Ramos-Lopez apparently was able to gain access to another employee's account, despite his own account being disabled when he was terminated as part of a "workforce reduction".  He at first only disabled the cars of people he remembered the names of, but later discovered a database he could use to search for new victims among the 1,100 owners of Auto Center vehicles with Webtech Plus installed.

Martin Garcia, manager of the Texas Auto Center that Ramos-Lopez used to work at, comments, "We initially dismissed it as mechanical failure.  We started having a rash of up to a hundred customers at one time complaining. Some customers complained of the horns going off in the middle of the night. The only option they had was to remove the battery.  [Ramos-Lopez] was pretty good with computers."

Police with Austin's High Tech Crime Unit arrested Lopez and charged him with computer intrusion charges this week.  

Though wireless immobilization systems have been around for a decade, this is believed to be the first time somebody has abused the system to harm customers.  Describes Jim Krueger, co-owner of Pay Technologies, "It was a fairly straightforward situation.  He had retained a password, and what happened was he went in and created a little bit of havoc."

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Customer looses
By djc208 on 3/18/2010 9:46:30 AM , Rating: 5
So the only people this guy really hurt were the poor people who were already being bent over on their car loans for what are probably crappy cars to begin with.

Doesn't he know he's supposed to be fighting the MAN, not his fellow citizens. LOL! If he really had wanted to hurt his employer he would have sent that password to all the customers so they could disable the unit on their car.




RE: Customer looses
By steven975 on 3/18/2010 10:08:09 AM , Rating: 3
And to set these boxes to honk the horn nonstop is asanine. It only harrasses people outside of the transaction...like me!

All that's going to do is enrage neighbors.


RE: Customer looses
By Mitch101 on 3/18/2010 10:25:26 AM , Rating: 3
Or someone in a motel with someone they shouldn't. I watch too much Operation Repo and Cheaters.

I do feel for the person who couldn't get to work this happened to. Hope no one lost their job and no one was hurt and couldn't get to where they needed.


RE: Customer looses
By Janooo on 3/18/2010 10:08:51 AM , Rating: 2
Well, he scratched the image of his former employer as well. It's a bad reputation for the company.


RE: Customer looses
By Regs on 3/22/2010 2:41:17 PM , Rating: 2
A company in business to help support people with bad credit while laying off people in their own orgnization in the meantime. Times must be really bad in Texas.


RE: Customer looses
By Kenenniah on 3/24/2010 10:36:26 AM , Rating: 2
If you think they are in business to help support people and not line their pockets with insane interest rates and overcharging, then I have some property to sell you :P


RE: Customer looses
By bighairycamel on 3/18/2010 10:36:54 AM , Rating: 2
Well it at least got them to question their security methods. I think it's a good alternative to repo'ing, just needs to be more secure.

Oh and,
http://www.evga.com/forums/tm.aspx?m=153266


Idiot owners
By chdude3 on 3/18/2010 10:34:58 AM , Rating: 1
Pull the battery, WTF? The one time I had an issue with my horn, I pulled over, reached down, and removed the fuse.




RE: Idiot owners
By waykizool on 3/18/2010 10:51:51 AM , Rating: 3
Not all people are sane...


RE: Idiot owners
By FaaR on 3/18/2010 3:26:23 PM , Rating: 4
Yeah, because you're OBVIOUSLY INSANE if you don't know which fuse connects to your car horn - or even where the fuse box is located in your vehicle for that matter. *rolleyes*

I'm not sure what kind of frickin' maroon thought it was an awesome idea to manufacture an electronic box that can fire the car horn constantly day or night via remote control anyway. What the hell? That sounds quite illegal (no pun intended) tbh.


RE: Idiot owners
By afkrotch on 3/18/2010 8:46:21 PM , Rating: 2
A lot of cars have that horn feature. It's called, panic button.


RE: Idiot owners
By icanhascpu on 3/22/2010 5:02:08 PM , Rating: 2
Because the people in offices 100 miles away remote-honking some poor schmucks car are in a panic? Sounds retarded to me too.


RE: Idiot owners
By Keeir on 3/18/2010 1:09:48 PM , Rating: 4
Err...

You realize that many models of cars have dozens of fuses right? Mostly unmarked.

At 2am, with my horn going crazy, I probably would do a similar thing. It would be much faster than hunting down the manual to hunt down the right fuse.


RE: Idiot owners
By Spivonious on 3/18/2010 2:31:14 PM , Rating: 3
I would have to pull out the manual and look up which fuse was for the horn. And with my luck it would probably in the fuse box under the hood. It's much faster to disconnect the battery.


use another word for crying out loud
By cmdrdredd on 3/18/2010 8:02:27 PM , Rating: 4
Stop using "bricked" "bricks" and "brick" to describe software and electronic failure and break down. It's stupid and is a complete misuse of the English language. You're not cool.




By chagrinnin on 3/18/2010 8:20:15 PM , Rating: 5
Parent | Reply | Worth Bricking | Not Worth Bricking


Lovely hack
By raccoon on 3/18/2010 3:40:21 PM , Rating: 2
I'm writing this from Auto Center while filling out my lease for a new used car. I intend to dismantle this 'black box' and intentionally miss my first payment, so I can debug the wireless instructions sent to the vehicle disabler.

With any luck, I'll have designed a key remote I can drive around pointing at people's cars to make them honk relentlessly.




RE: Lovely hack
By chagrinnin on 3/18/2010 6:39:04 PM , Rating: 5
Without any luck, autopsy will reveal that same remote buried deep in your pooper.


Dumb and dumber
By Shadowmaster625 on 3/19/2010 7:18:26 AM , Rating: 2
What did this guy do, log in from his home IP? Talk about friggin dumb.

And what is dumber than that? Making cars even more expensive by adding these stupid gimmicks, so that even more people cannot afford them. And when problems like these happen, people could lose their jobs, all because of some stupid money wasting scam.

And what is even dumber than that? Building systems that allow backdoors so hackers and spooks can have a field day. These backdoors are exactly what the CIA and other government agencies LOVE. They WILL use them. That auto shop should and must be put out of business via boycott. That is what intelligent consumers would do anyway. Zippo chance on it actually happening.




RE: Dumb and dumber
By rcc on 3/19/2010 2:06:22 PM , Rating: 2
Clearly we both got something different from that article.

It's not a shop, it's a dealership that specializes in sales to those with bad/troubled credit. In other words, they are enabling those people to get jobs that require driving. Further, your "scam", is the company trying to protect it's assets while still selling to high risk customers.

But I'll grant you that their system needs a serious security overhaul. This type of system is ripe for hackers, miscreants, and in this case, disgrunted ex-employees, to exploit. Hopefully the perp will get a bill to cover everyone's time and effort, lost wages, etc. Not that he'll pay it, but........


Nice picture
By Indianapolis on 3/19/2010 11:55:08 PM , Rating: 3
That's some hot Ram-on-Ram action in the picture. And I thought this was a family site!




I'm surprised...
By Souka on 3/18/2010 11:06:24 AM , Rating: 2
I'm very surprised this wasn't another bashing article about Toyota!

But after reading it, I laughed when I imagined it was about Toyota!

:)




By Soldier1969 on 3/18/2010 5:34:25 PM , Rating: 2
I know several ways that he wouldnt have been caught. Some people you just dont want to disgruntle if at all possible. They will make your life or business complete hell!




It's TEXAS
By omgwtf8888 on 3/19/2010 2:10:33 PM , Rating: 2
Wonder how many cars with them there beepin' horns got shot?




Former employee WIN!!
By rbfowler9lfc on 3/19/2010 8:36:17 PM , Rating: 2
Company's flawed security FAIL




By YashBudini on 3/19/2010 9:08:17 PM , Rating: 2
Let's hear it for outsourcing!




By Lerianis on 3/20/2010 3:00:10 PM , Rating: 2
Where a criminal or someone else would hack into these systems in order to turn off people's cars remotely so that they can kidnap/kill them when they are out of public view..... doesn't look so much like something that couldn't happen anymore, now does it?

These systems are BAD IDEAS! I know that they help when someone steals your car..... but the other problems that come from them are too much to just be ignored.




By DatabaseMX on 3/22/2010 5:38:26 PM , Rating: 2
Everyone take note:

What happens when someone decides to do this to the OnStar satellite system? 1000's of cars are suddenly disabled or worse? OOPS!!! There is even a commercial that runs on CNN showing this ... wherein OnStar shuts off a car that police are chasing!!

Personally, there is no way I would own a car with OnStar!

mx




Where did he get that other guys password?!?
By medys on 3/18/10, Rating: -1
By whiskerwill on 3/18/2010 11:03:16 AM , Rating: 5
YOU try working for a company with a security policy requiring all passwords to be 8-16 characters long, include upper and lower case AND either a special character or number.

Then throw in the requirement that those passwords be changed every 45 days AND that every new password has to differ by at least 3 characters from every other password you've ever used since you began working there.

THEN you can talk about "stupid" people who write passwords on pieces of paper near their monitor.


By VaultDweller on 3/18/2010 11:12:23 AM , Rating: 3
Done and done.


By VaultDweller on 3/18/2010 11:13:25 AM , Rating: 2
Except that we require both special characters and numbers, not one or the other.


RE: Where did he get that other guys password?!?
By Motoman on 3/18/2010 12:00:04 PM , Rating: 3
Yes. The best way to ensure that your systems are insecure is to enforce onerous password policies on your employees.

There are only a handful of passwords that a person is going to think of and remember on their own that aren't either highly predictable (like your name plus a number) or utter BS that have to be written down on something to remember. And then kept in a desk drawer or on a post-it on the monitor.

Like DRM tech that somehow is going to save the world from privacy when it clearly has no effect, over-the-top password policies work to make your systems LESS secure, not more secure.


RE: Where did he get that other guys password?!?
By d3872 on 3/18/2010 12:51:39 PM , Rating: 5
quote:
Like DRM tech that somehow is going to save the world from privacy...


Freudian slip FTW


By Motoman on 3/19/2010 3:10:54 PM , Rating: 2
Ha! That is hilarious. Freudian slip indeed...


RE: Where did he get that other guys password?!?
By MojoMan on 3/18/10, Rating: 0
By OUits on 3/19/2010 12:31:37 AM , Rating: 2
Yup.

Need to do it for a bunch of employees?
http://world.std.com/~reinhold/diceware.html

Concatenate the result with your '!#'.

Companies based on technology like this can't afford to not take security seriously, even something as fundamental as a password.


By marvdmartian on 3/19/2010 9:03:25 AM , Rating: 2
Yeah, except you know that most people are lazy, and will resort to this trick:
1st password - 1qazZAQ!
2nd password - 2wsxXSW@
3rd password - 3edcCDE#
etc, etc, etc......

Sorry if I gave away anyone's password!! ;)


RE: Where did he get that other guys password?!?
By Jackattak on 3/18/10, Rating: -1
By vkyosho on 3/18/2010 12:55:12 PM , Rating: 1
nope i have that problem too, and it's due to the fact some computers I don't log in that frequently so I forget.

Luckily I sync'd my passwords all together, so instead of 10 different combinations, there are at most 3 different combinations. There are still some I have to reset everytime I want to log in.


By d3872 on 3/18/2010 12:57:03 PM , Rating: 3
quote:
I have to remember at least 10 passwords just to do my job as a network admin, and they all change every 45 days. Never had a problem. Maybe it's just you?


Given the horde of similar complaints that we see every time the issue of passwords comes up, I think we can dispense with the notion that it's just him.


RE: Where did he get that other guys password?!?
By Suntan on 3/18/10, Rating: -1
RE: Where did he get that other guys password?!?
By Jackattak on 3/18/2010 1:22:37 PM , Rating: 1
[snide, chiding response]
Nope, just a great memory from the sounds of the responses.

Don't waste your time feeling sad for me! I have one of the greatest lives anyone could ever desire! :P

[/snide, chiding response]


RE: Where did he get that other guys password?!?
By rmclean816 on 3/18/2010 2:22:01 PM , Rating: 2
I'm happy your sad.


By LRonaldHubbs on 3/18/2010 2:49:45 PM , Rating: 2
quote:
your sad

The sad that he owns.


RE: Where did he get that other guys password?!?
By stirfry213 on 3/18/2010 12:55:32 PM , Rating: 2
I have 8 different systems that are NOT interlinked and have their own passwords. I feel the pain. However, the key to having a good and rememberable password is to use a password that can be incremented and then used for all systems. You may need to think a bit to find one that will fit all the criteria for all your systems. Example password: a1b2c3001. I have to change all my passwords every 30 days. In this example, next month, it would be a1b2c3002. If your password must be more exotic, then try something like A!b2c3001.

Now, if you have an even more aggressive system, maybe one that doesn't allow you to repeat any patterns... then I'm sorry and good luck! lol


RE: Where did he get that other guys password?!?
By Duwelon on 3/18/2010 1:14:49 PM , Rating: 2
Only 8? :) Luckily my job has a single sign on solution so all the frequently used systems I can access with one password, but there are literally over a hundred others I have to change every 30 days too, some much more painful than others.


By CvP on 3/18/2010 2:03:16 PM , Rating: 2
GE SSO saves the day ;P


By rudy on 3/18/2010 2:32:04 PM , Rating: 2
This is the problem and the point very few people just randomly generate 10 passwords and remember them every 45 days almost everyone out there besides a few psychopaths find some shortcut which inherently undoes the security that was implemented. Passwords are most often just written down and placed in peoples wallets or even postits on the computer or around the desk. Especially on public computers with a shared device. IMO forcing people to change passwords does nothing.

One thing I like is how my bank tells me where the last login attempts were from that way I can notice if an odd IP accesses my account or tries to.


By LRonaldHubbs on 3/18/2010 2:54:51 PM , Rating: 2
This is what I do as well, although my password requirements are not as stringent. I have about 8 passwords to remember, but they are all allowed to be the same, they are all 8 chars long, and they all get changed every 90 days. So I agree, incrementing your password is the way to go if IT allows it.


RE: Where did he get that other guys password?!?
By Duwelon on 3/18/2010 1:10:17 PM , Rating: 2
I've worked with an older person (50'ish) who had highly privileged access to very sensitive data who had to call a helpdesk nearly every day for a year to get their password reset. They eventually started writing the passwords down in a technical manual on their desk. He got canned for incompetence. People who can't store a new phrase in their heads every 30 days should be Walmart greeters, not working with computers.


By KashGarinn on 3/19/2010 5:09:36 AM , Rating: 2
well, if I just had to write down a password, I'd just do it in a way no one would understand. I mean for instance, if your password is 10 symbols long, then you have 10 sentences, and put your password vertical at the front or at the back of those sentences, or vertically.

But yea, I normally just use a word + symbol + numbers and switch the order, numbers + symbol + word, or iterate the number, or symbol.


RE: Where did he get that other guys password?!?
By HrilL on 3/18/2010 1:15:50 PM , Rating: 1
sounds just like the password policy I just wrote for my company. If I see a password on a sticky or someone sharing theirs. I give them a verbal nasty gram.

This is the reason we have polices like this. Because people are too retarded to keep a password secret.


By medys on 3/18/2010 4:13:37 PM , Rating: 5
There allways is a balance betwen weak password in users head and a strong one written on a monitor :)

We cannot be too harsh about password policies and people forgetting them :)

Even I after a crazy skiing/partying holliday in Austria forgot my windows password :) and I'm IT :D


By NT78stonewobble on 3/20/2010 7:04:27 AM , Rating: 2
Other people might be "retards" but with your social skills you ought to work with road construction.


By HrilL on 3/29/2010 2:52:06 PM , Rating: 2
last I saw they do far more socializing than most of us in IT.


By afkrotch on 3/18/2010 8:41:23 PM , Rating: 1
I don't write down passwords and I have those requirements. Actually, more stringent.

2 uppercase, 2 lowercase, 2 special characters, 2 numbers, 8-16 characters, changed every 90 days, no keyboard patterns, 3 character combos from last 24 passwords can't be used, and can't use the last 24 passwords you've already used.

Our Trusted Solaris system is even worse, as there's like 8 special characters you can't use at all, cause it interferes with the database.


"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein









botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki