Connected Car Data Handover Headache: There's No Quick Fix... and It's NOT Just Land Rovers
Who has the keys to your car?
The perils of previous owners retaining unfettered access to the data and controls of connected cars after resale is a wider problem across the industry, The Register has discovered.
We have confirmed that BMW, Mercedes-Benz and Nissan may all have much the same issue as Jaguar Land Rover, the focus of our recent article on the topic.
Reg reader Howard B told us that BMW showed indifference when he pointed out that he was still connected to one of its vehicles even after he sold it on.
"I was still able to unlock and lock a previous vehicle I had owned, flash the lights, start the ventilation, etc, and see where the car was parked," Howard told us. "Dealers should be making sure that the car is registered to a connected app account in their name so that the vehicle is no longer on a private individuals account."
Howard B said he was able to access this data for "at least" six months after the vehicle was sold on, and noted that if he'd been of a dishonest nature he could have used the information for dastardly means.
The car is now connected to another person's drive account but Howard said when he raised the concerns with BMW Connected services and the dealership, "they weren't interested".
In response to an El Reg query, BMW offered an explanation of its connected car procedures. Drivers selling on internet-enabled BMWs should disconnect themselves from the car before a sale. This will happen anyway once the new owner hooks up to with a BMW account, the car maker said.
The customer need[s] to delete the mapped profile online at the ConnectedDrive account. Customers can delete the mapping via the Head-Unit and get a notification to delete the data online at the ConnectedDrive account as well.
Once a customer connects the car with a new ConnectedDrive account, all previous connections will be deleted.
New BMW owners are in a better position than newly minted Jaguar Land Rover owners, who are unable to evict the previous owners from access to the data and controls of connected cars simply by connecting themselves. Unlike BMW's situation, dealer action is needed in the case of JLR. Our tipster is nonetheless dissatisfied with BMW's approach.
"The vehicle is deleted from a previous owner's connected drive account when a new owner adds the vehicle to their account, but if that new owner is not a technology type of person or does not know about apps then it will stay on the previous owners account," Howard pointed out.
He added that BMW's approach relies on everyone following the car maker's guidelines, a common criticism among several drivers we've spoken to about the topic.
Beep Mercs the spot...
Owners of other brands of connected car are also affected by much the same issue. Chris Rogers, a US-based hacker and transportation security expert, told The Reg it took a call to Mercedes-Benz to remove the previous owner's info from a recently acquired second-hand S550.
We've also heard of someone who sold his previous car through a main dealer in the Netherlands more than a year ago but still has remote control over it, as previously reported.
Our initial article prompted further examples from Reg commenters.
"HWwiz" told us the JLR issue also affected newer Mercedes from approximately 2014 onward.
"If the last owner does not log in online and remove the car from their Mercedes Me account, then they can continue to remotely monitor the car, lock / unlock doors, etc," our contact said.
"Non-Mercedes dealers have no control over this, whereas main dealers can terminate the accounts during re-sale."
In a statement, MB placed the onus on previous owners to un-register themselves when connected cars are re-sold.
Since Mercedes-Benz is not always aware that the vehicle is sold we cannot proactively deregister the vehicle from the Mercedes me account. The new owner always has the ability to visit an official Mercedes-Benz dealership to have the vehicle deregistered and registered to his own account.
The issue of who controls the data on connected cars is a topic that also affects drivers of mainstream motors as well as luxury brands. Volvo, Nissan and possibly other brands such as Renault also seem to be affected.
Reg commenter "clhking" told us: "Our Volvo bought from a Volvo dealership was not unbound. But the subscription to Volvo On Call [had] expired. So the previous owner would have had to pay to retain access to our car. When I called to activate our account the VIN (vehicle identification number) was still bound to the previous owner."
The Register asked Volvo if it had anything to say about the implied criticism that its procedure for selling on connected cars fails to block access to sensitive information and controls from previous owners. The car maker, which offered to help our reader, said that app unbinding was part of its resale process.
The comprehensive process covered under the Volvo Selekt approved used car programme does include a check that the previous owner has deactivated their links to the car.
UK infosec researcher Scott Helme told El Reg that he could access his Nissan Leaf connected car "for months" after he sold it on.
It's like selling your phone
Used connected cars need disconnecting, as UK government cyber assurance agency NCSC pointed out after our initial report. Consumers have got used to the idea of factory resetting their smartphone before selling it on. Cleaning out a car before resale is a well-understood practice but this applies only to the contents of a glove box and not to the data a connected car holds, which can include sensitive travel movements, other information and more.
"Users are also familiar with the concept of a phone having and storing personal data [but] not with a car," Helme told El Reg.
Other security researchers we've spoken to faulted car makers for failing to think the issue through when they rolled out the technology. The problem is not as simple as it might appear. One solution, such as having a button inside held for 10 seconds to disassociate the old owner from the system, for example, could inadvertently help car thieves.
One Reg reader, "macjules", said Tesla had come up with an example others might want to follow. "All they need is a functionality similar to Tesla. Go to Backup and Reset and select Factory Data Reset. Car is completely reset and new user can register."
El Reg attempted to confirm with Tesla that this was how its system worked but we've yet to hear back. Security consultants with experience in connected cars expressed interest in the approach without endorsing it.
Although most respondents were critical of car makers in general, one reader countered that calls for automated connected car disassociation-on-sale functionality were unfair to car makers such as JLR.
"LeeE" said: "This is an unreasonable demand to make of JLR because any such automatic bullet-proof method would be dependent upon a similarly bullet-proof system/process whereby JLR is informed of the sale of any of their vehicles, including private sales."
In general, problems arise when the seller of the vehicle fails to un-register their old account/vehicle association when they sell it. The situation is further complicated by the fact that it may not be the most recent seller but someone a few owners back that needs to have their access curtailed.
"It is the responsibility of the previous customer to disconnect and owners of cars with this tech will need to get used to checking their purchase has indeed been disconnected," as one anonymous (coward) comment put it.
Car makers typically run the apps and manage the servers through which connected car services are delivered, making them "data controllers" under the General Data Protection Regulation. They are certainly data processors because they process personal information about owners and drivers of their cars. This could come to present legal peril for JLR and others.
Specialist IT solicitor Dai Davis has told El Reg that Jaguar Land Rover may run into GDPR regulatory issues over its role in the data held by connected cars and their resale. The same legal reasoning would apply to other car makers following the same practices.
It could be that the telematics service platform (TSP) providers are at minimum partially culpable. "The TSP providers behind it all haven't really figured out the problem properly," one leading security consultant told El Reg. TSP firms such as CloudCar (strategic partner to JLR in the development of cloud-based infotainment), Kuantic and Harman (the Samsung-owned infotainment and connected car partner of BMW) work with a variety of car makers.
El Reg asked CloudCar and Harman to comment on whether they might be doing more to resolve the present situation around the sale of connected cars. We'll update this story as and when we hear more.
At the suggestion of Volvo we also contacted the SMMT (The Society of Motor Manufacturers and Traders, a UK auto industry trade body) for comment. SMMT argued that although car makers have a responsibility for data processing, consumers also have a role to play by getting into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.
Mike Hawes, SMMT chief executive, said: "Car manufacturers take privacy extremely seriously and customer consent underpins all personal data processing. While industry is committed to upholding a high level of customer data protection, including proportionate use of data, modern cars need to be treated the same as other connected devices.
"Owners should remove their digital information, and disable any associated online account, before selling a vehicle to another keeper. Personal data, including apps and paired mobile phones, can be removed from cars according to individual manufacturer instructions, giving peace of mind to motorists."
That approach may seem fair enough but it still throws up problems. For example, commenter "andymcp" reports getting test messages about a car he'd sold on even though he'd disassociated his mobile from the motor and uninstalled the app.
"Having been through the process of unlinking a car during a private sale (not JLR), even if the app has an 'end ownership' option, it also likely comes with an in-car registration that's entirely separate," he explained. "Hence you still get phone calls when the new owner sets the alarm off. Or reinstall the app after getting an alarm notification call to find it's been happily collecting data attributed to you for months. Or have a few buttons that offer you the chance to remote unlock, remote start, remotely activate the alarm, send destinations..."
Is it realistic to expect buyers of second-hand cars to know if the car has been connected? The response from the car industry has been to put the onus on the previous owner to delete data while minimising the role of auto manufacturers to come up with a well thought through process and for dealers to enforce it.
"When I buy a car, I want to be able to make sure MYSELF it is no longer accessible to previous owners, not rely on their goodwill or attention to detail," IT worker Mike Walters told El Reg, summarising the feelings of many drivers we've spoken to about the issue.