It seems that smart products aren't quite smart enough to disconnect from the original owner when they're sold.
We enjoy being able to access our cars and household devices, such as door locks, security systems, garage doors and thermostats, from anywhere — but companies are not thinking about what happens if that device is re-sold.
"It's not a revenue-generating event. A lot of companies don't really focus on the transfer from the first owner to the second owner," said Charles Henderson, who heads IBM's X-Force Red, a team of security professionals and ethical hackers. "It's time to start looking at the entire lifecycle of these devices."
When Digital Ownership Never Ends
In a recent blog post, An IoT Love Story: Always Apart, Never Disconnected, Henderson shared the personal story of what happened when he sold his convertible a few years ago. Henderson was connected to that car via a mobile app that enabled him to work the door locks, set the climate control, start the car and honk the horn remotely.
Before he gave the car to the dealer, Henderson deleted all of his personal data stored in the radio and navigation systems. He just assumed his app access to the vehicle would be automatically revoked. But it wasn't.
Nearly four years later, he still has "digital ownership" of his old car. Henderson said he knows where that vehicle is at all times and still has the ability to control its various functions.
IBM X-Force Red has identified four major auto makers (they won't say which ones) with connected car applications that allow previous owners to access/control their former vehicles — even if the new owner uses the factory reset option.
"Factory reset will delete your radio stations, phone book and reset your climate controls," Henderson explained. "It doesn't remove the previous owner from being an administrator. That previous owner could find the car, unlock it, and in many cases, start the car and drive off. Basically, they can do anything that the actual owner could do with that application."
NBC News asked the Alliance of Automobile Manufacturers if automakers are aware of the issue and doing anything about it. Wade Newton, director of communications for the Alliance, said privacy and security are priorities for all automakers.
"As vehicles become increasingly interconnected, both data protection and data privacy are considered from the earliest stages of product development; in other words, 'Privacy is by Design,' Newton wrote in an email. "The steps an owner must take to 'un-pair' a vehicle with relevant applications would be different for different products, so customers should check with their vehicle's automaker."
The National Auto Dealers Association has information about Personal Data in Your Car that includes a checklist for buyers and sellers.
A Growing Concern for Home Buyers
X-Force Red also found the same problem with home devices. Henderson told NBC News about David Bryan, a member of the IBM team, who recently bought a house with a home automation hub. Because of his background in security, Bryan knew to perform a factory reset. After doing that, he noticed an unfamiliar phone number listed as an administrator.
Bryan did several more factory resets, but the number was still there, so he contacted customer support. After two weeks the company was able to remove that phone from the list of approved devices. They also spotted a tablet that had access to Bryan's automation hub — one he could not see on his management console — which they also removed.
"It's scary to think that even if a user checks the management settings and determines that everything is secure, there still might be authorized devices invisible to them," Henderson wrote in his blog.
Lesson learned: A factory reset may only clear the data and erase the settings on the device. It probably won't alter the accounts that manage it via the cloud — or the data already stored there.
NBC News asked the Consumer Technology Association (CTA) to comment on Bryan's experience. Jeff Joseph, CTA's senior vice president of communications, said people need to be careful when transferring connected devices, utilizing reset functions and wiping their devices clean before selling or moving.
The industry is "aware and taking steps" to help manufacturers deal with IoT systems and to educate their customers about how to configure them, Joseph wrote in an email. "Often consumer education and technology solutions advance in relative tandem. We had to learn to wipe or reset our phone and computers before recycling."
The Problem is Only Going to Grow
Smart homes are still a small part of the overall market, but one that's expected to grow significantly in the next few years as more homeowners install these devices and homebuyers come to expect them. So the National Association of Realtors is teaching its agents how to spot IoT devices and how to deal with them at closing.
"Over time, as you add more and more of these devices from different manufacturers to the house, it becomes more of a challenge," said Chad Curry, managing director of NAR's Center for Realtor Technology. "How do you reset multiple devices from multiple companies? We're trying to get ahead of this by educating our members about this and how they can help make sure the devices are reset appropriately."
Real estate professionals are already trying to deal with the challenges presented by smart homes. It's no longer just about getting a set of keys at closing; it's remembering that the ownership of the home's IoT devices must also be turned over.
"It can be really creepy if the seller still has access to those security cameras around your house and can see what you're doing," said Heather Petrone-Shook, president of the Greater Philadelphia Association of Realtors.
Related: 2017 Is the Year of the Smart Home
Petrone-Shook told NBC News about a client who bought a house and discovered that the seller still had control of their Nest thermostat after they moved in. That's why agents in her office now tell buyers about the devices in that home that connect to the Internet.
"We're letting buyers know and putting into the agreement of sale that they have to make sure this control is transferred fully, but again we're still in the very infant stage of this," she said.
Craig Spiezle, executive director of the non-profit Online Trust Alliance, says the inability to disconnect the previous homeowners is more than an inconvenience.
"You could have a disgruntled seller who plays havoc with the new owners or someone opening the house and trying to get something out of there," Spiezle said. "The issues have shifted from online privacy and online security to the real world of physical safety."
OTA has created a checklist for people who buy or sell a connected home.
More Needs to Be Done
Digital security experts contacted by NBC News criticized the electronics industry for not dealing with this issue. They want to see appliance manufacturers take responsibility for the unintended consequences of connectivity and develop simple and secure ways to completely reset IoT devices — whether it's a car, home or anything else that has connectivity.
Lance James, Chief Scientist at Flashpoint, a business risk intelligence company, considers this to be a major vulnerability that is not being properly addressed.
"There needs to be much more critical thinking about this," James said. "When companies build these devices they need to assume that they're going to be sold — the person who made the original purchase may not be the owner tomorrow."
James wants to see "a mandatory self-destruct button" on all IoT devices that resets them to the original factory setting. And there needs to be a test to prove that it works before the product is sold, he said. If the industry doesn't do this on its own, James believes it may be forced to by regulation.
What Can You Do Right Now?
While all of this plays out, there are a few things buyers and sellers of connected devices should do. IBM's X-Force Red recommends "a digital cleanse" of any IoT devices you sell or second-hand ones you buy. This includes removing your own information before you sell an IoT device.
Buyers cannot assume they're the only authorized user of that smart device. Check the 'user management' settings to remove any previous users. Even though factory resets aren't perfect, they're still a good practice.
For connected cars:
- Ask the car dealership to show you how to disconnect the mobile app and/or web interface to ensure that all previous owners are disconnected from accessing the vehicle
When buying a home with smart devices:
- Find a home inspector who can identify and understand smart home devices
- Ask your real estate agent about disclosures of smart home devices left in the home
- Remember that some devices might have IoT functionality, even if they look like a normal device, for example a smart door lock or smart light switch.
"At the end of the day, the burden is on the consumer, but we can't expect to put the onus on them to figure this out," said X-Force Red's Charles Henderson. "If we don't get in front of this, the more pervasive IoT gets, the bigger the problem is going to be. The Internet of Things is evolving into the Internet of Everything. And as we make everything Internet capable and Internet ready we have a duty to consumers to make it Internet safe."