The apparent security lapse happened late-Friday before the app went offline “due to site maintenance” a few hours later.
As cars collect and share performance data with automakers, “what happens if the mechanic down the street, who has been servicing your car for years, can’t get that data from the vehicle manufacturer?” asked Bill Hanvey, CEO of Auto Care Association, a trade group that represents about 235,000 repair stores.
It’s not uncommon for modern vehicles these days to come with an accompanying phone app. These apps connect to your car and let you remotely locate them, lock or unlock them, and start or stop the engine. But as cars become internet-connected and hooked up to apps, security flaws have allowed researchers to remotely hijack or track vehicles.One Seattle-based car owner told TechCrunch that their app pulled in information from several other accounts. He said that both he and a friend, who are both Mercedes owners, had the same car belonging to another customer, in their respective apps but every other account detail was different.
The car owners we spoke to said they were able to see the car’s recent activity, including the locations of where it had recently been, but they were unable to track the real-time location using the app’s feature.When he contacted Mercedes-Benz, a customer service representative told him to “delete the app” until it was fixed, he said.
The other car owner we spoke to said he opened the app and found it also pulled in someone else’s profile.“I got in contact with the person who owns the car that was showing up,” he told TechCrunch. “I could see the car was in Los Angeles, where he had been, and he was in fact there,” he added.
He said that he wasn’t sure if the app has exposed his private information to another customer.
“Pretty bad fuck up in my opinion,” he said.
The first customer reported that the “lock and unlock” and the engine “start and stop” features did not work on his app, somewhat limiting the impact of the security lapse. The other customer said they did not attempt to test either feature.
It’s not clear how the security lapse happened or how widespread the problem was.“There was a short interval [Friday[ during which incorrect customer data was displayed on our MercedesMe app,” said Donna Boland, a spokesperson for Daimler, the parent company of Mercedes-Benz.
“The information displayed was cached information — not real-time access to the account, no financial info was viewable nor was it possible to interact with, or determine live location of, the vehicle associated with the account,” the spokesperson said. “When we became aware of the issue, we took the system down, identified the issue and resolved it,” she added.According to Google Play’s rankings, more than 100,000 customers have installed the app. A similar security lapse hit Credit Karma’s mobile app in August. The credit monitoring company admitted that users were inadvertently shown other users’ account information, including details about credit card accounts and balances. But despite disclosing other people’s information, the company denied a data breach.
Updated with comment from Mercedes-Benz parent Daimler.
As self-driving cars develop further, autonomous vehicles will play a much larger role in the digital economy as car companies and others harness personalized customer information through geospatial and navigation technologies, combining it with existing financial consumer profiles, according to a study in Surveillance and Society .
Credit Karma glitch exposed users to other people’s accounts