The Massive Security Risk in Buying a Used Car

Dear Reader,

Meet Charles Henderson.

Charles HendersonHe’s a hacker — one of the good ones. As the leader of X-Force Red, IBM’s security testing group, Charles gets paid to think like a criminal.

A few years ago, Charles decided it was time to get a new car. That’s when he discovered a glaring security risk in the used car market.

Out With the Old

Due to his growing family, Charles decided it was time to get rid of his convertible and purchase a more family-friendly vehicle. So he traded in his old car at a local dealership and purchased another car from the same dealer.

Since the new vehicle Charles purchased was from the same automaker, it had the same car management app as his previous car. Of course, since Charles works in the security industry, he made sure to erase all of the personal information on the app that was connected to the vehicle he traded in.

He deleted his phone contacts, erased the garage door opener code and removed all connected devices. Furthermore, when the dealership received the keys to the vehicle, they also checked to see that Charles’ personal information had been deleted from the car.

But when Charles plugged in the data for his new car into his smartphone app, he noticed that the information from his old car still appeared on the app. At first, Charles didn’t think much of it and assumed the information would eventually be expunged.

However, days passed, and then weeks, and his information was still there. That’s when Charles realized that because he could see his old car’s information through the app, his old car’s new owner could access his personal information through the car.

Not-So-Smart Technology

Technology is constantly improving — especially when it comes to cars — so it’s no surprise that most new cars are integrated with some sort of “smart” technology. Technology that allows you to unlock the car, sound the alarm, honk the horn and even find out the exact location of your vehicle, all with your smartphone.

That’s where the danger lies. Because even after Charles deleted all of his personal information from his old car, he could still see its location and access the smart features.

Now, you may be thinking, Wouldn’t a factory reset solve the problem? Unfortunately, no. Thanks to cloud-computing technology, a factory reset only erases the data stored locally on the device itself, not the data stored in the cloud.

This got Charles thinking, and he wanted to see whether his was an isolated incident or part of a larger problem. So he and his team tested four different auto manufacturers, and guess what? They all had the same security weakness. Charles and his team never revealed which carmakers they tested, but their results clearly show this is a widespread issue.

And believe it or not, automakers do this on purpose. Because the truth is they are afraid of so-called “user errors.” For example, what if you take your car to a new mechanic and in the course of repairs, they reboot your car app, deleting all your information? Or let’s say a friend borrows your car and they sync their smartphone to it to play music, accidentally wiping out your saved data so you can no longer access your own car?

Action to Take

As technology improves and is incorporated more and more into our daily lives, we will continue to encounter these types of situations. There is a fine line between creating a simple, secure process to delete personal information permanently and making it so easy that you might unwittingly make an irreversible mistake.

Then again, you also don’t want to leave yourself open to threat of someone taking over your vehicle or finding out where you or your loved ones live.

If you purchase a used car with smart capabilities, I recommend taking the following steps. First, check the user information in the car’s database to see what (if any) devices are connected to the car. If any of the previous owner’s devices are still connected, go to the dealership and ask them to remove the devices.

Before you sell your car used, do the same thing. Go to the dealership and ask them to remove your devices from the vehicle’s system.

Remember, a factory reset of the system won’t remove the connected devices, so you need to specifically ask the dealership to remove them manually.

It’s also important to note that these types of security issues aren’t tied only to used cars. If you buy a home with smart technology that allows you to control the thermostat, lights — even your locks and security system — from your phone, there’s a good chance the home’s previous owner still has access through this same loophole.

While technology certainly makes our lives easier, understand that these advances come with security risks — and someone having remote access to your car or your home presents a HUGE safety risk. So don’t be stupid when it comes to smart technology.

Stay safe,

Jason Hanson

Jason Hanson

Leave A Reply

Your email address will not be published.