There is a growing issue of personal data being left behind in vehicles that motorists rent or own, posing serious security risks to individuals nationwide. When drivers return rented vehicles to dealerships or sell used vehicles to a private buyer,many forget that they leave themselves connected via Bluetooth through devices such as smartphones and tablets.
In fact, there have been instances where drivers of recently-purchased used cars have called ‘Home’ via their vehicle’s Bluetooth telephone system and it ended up dialling the previous owner’s house.
Of course, there was a time when vehicles weren’t equipped to store personal information on their owners – apart from odometer readings and radio station presets. However, 21st century models are now housed with computers that record and control everything from climate control, engine, and brakes through to entertainment systems, tyre pressures and safety features.
In some quarters, today’s new vehicles are increasingly labelled ‘smartphones on wheels’. While a feature-laden road vehicle is a great thing for many motorists, it does represent a challenge to protect personal data prior to returning or selling on such vehicles. Last summer, a motorist in Texas, U.S. sold his beloved convertible that was one of the first truly connected cars – capable of being synchronised wirelessly with a smartphone for the purposes of work and entertainment. Charles Henderson, a global head of X-Force Red, IBM’s offensive security group, spotted something alarming just hours after selling the convertible.
Henderson was gobsmacked to find that he could still control the vehicle using the smartphone app, allowing him to determine the vehicle’s current location, unlock it remotely and even start the engine and drive off with it. Before physically returning the car back to the dealer, Henderson sought to conduct a factory reset of the vehicle’s computer system, wiping all personal data from the convertible’s on-board computer.
Bizarrely, when Henderson purchased a new connected vehicle by the same car manufacturer, he found that his old vehicle remained linked to him via the smartphone app. Even the manufacturers themselves had great difficulty in unlinking Henderson from his old vehicle. So, while the Internet of Things (IoT) offers a new world of interaction and connectivity at the wheel, it can still cause problems down the line.
The impending General Data Protection Regulation (GDPR) rules that come into force on 25th May 2018 have also been raised by the UK’s Vehicle Remarketing Association (VRA). The GDPR rules state that satellite navigation records and Bluetooth phone information must be removed from work-related vehicles before legally entering the used car market.
Suggested actions to take to prevent data security leaks when selling or returning your vehicle:
- Delete all Bluetooth pairings between devices and the vehicle.
- Delete all stored telephone numbers and call history.
- Retrieve all CDs and USB keys from glove boxes and other compartments or ports.
- Delete any inbuilt garage door opening codes.
- Remove all pre-programmed destinations and route history from satellite navigation systems.
- Delete all Wi-Fi hotspot settings and passwords stored by the vehicle.
- Remove any on-board diagnostics (OBD) or electronic data recorders (EDR).