Categories
Industrial IT

Do not pass go, do not collect $200

I’m Jason Firth.

I don’t make it a habit of commenting on local news stories, but this one really got under my skin: A car dealership demanded additional money from a customer after the sale concluded, and when the purchaser refused to comply, they remotely disabled the vehicle.

A consumer rights organization spoke to consumer rights law, but let’s call a spade a spade here: this is a criminal act. Someone should be going to jail over this.

Perhaps you think I’m being melodramatic about this, but hear me out. This dealer accessed computer equipment they had sold — equipment they no longer owned and were not authorized to access. They did so for the express purpose of following up on a threat they’d made: “either pay us, or we will hack and disable your vehicle.”

This is exactly the modus operandi of the WannaCry hackers. They took over systems they did not own, and issued an ultimatum: pay us or lose access to these systems we do not own.

Besides the thinnest veneer of respectability, there is no difference between the two.

Well, there is one difference, but it is without distinction for legal purposes: whereas the WannaCry hackers had to force their way into systems, the auto dealership left a bomb in the car they once owned.

On a few occasions, disgruntled former employees have used old usernames and passwords to get into the systems of former employers. It’s still very illegal and the fact that they had a username and password does not mean they are magically authorized to enter systems for which they no longer have reason to enter.

Both the WannaCry hackers and disgruntled former employees would go to jail for their crimes. The responsible people at this dealership ought to as well.

In the grand scheme of things, this should also be a warning to those of us who are in charge of digital systems: if a car dealership can commit extortion, if they can use a trap well laid to demand more money, then so can former employees. It’s important then to make sure you revoke permissions immediately when people leave the company, and do routine audits to find hidden bombs before they can turn into a threat down the line.

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *