Connected Car Data Handover Headache: There's No Quick Fix... and It's NOT Just Land Rovers
Who has the keys to your car?
The perils of previous owners retaining unfettered access to the data and controls of connected cars after resale is a wider problem across the industry, The Register has discovered.
We have confirmed that BMW, Mercedes-Benz and Nissan may all have much the same issue as Jaguar Land Rover, the focus of our recent article on the topic.
Reg reader Howard B told us that BMW showed indifference when he pointed out that he was still connected to one of its vehicles even after he sold it on.
"I was still able to unlock and lock a previous vehicle I had owned, flash the lights, start the ventilation, etc, and see where the car was parked," Howard told us. "Dealers should be making sure that the car is registered to a connected app account in their name so that the vehicle is no longer on a private individuals account."
Howard B said he was able to access this data for "at least" six months after the vehicle was sold on, and noted that if he'd been of a dishonest nature he could have used the information for dastardly means.
The car is now connected to another person's drive account but Howard said when he raised the concerns with BMW Connected services and the dealership, "they weren't interested".
In response to an El Reg query, BMW offered an explanation of its connected car procedures. Drivers selling on internet-enabled BMWs should disconnect themselves from the car before a sale. This will happen anyway once the new owner hooks up to with a BMW account, the car maker said.
The customer need[s] to delete the mapped profile online at the ConnectedDrive account. Customers can delete the mapping via the Head-Unit and get a notification to delete the data online at the ConnectedDrive account as well.
Once a customer connects the car with a new ConnectedDrive account, all previous connections will be deleted.
New BMW owners are in a better position than newly minted Jaguar Land Rover owners, who are unable to evict the previous owners from access to the data and controls of connected cars simply by connecting themselves. Unlike BMW's situation, dealer action is needed in the case of JLR. Our tipster is nonetheless dissatisfied with BMW's approach.
"The vehicle is deleted from a previous owner's connected drive account when a new owner adds the vehicle to their account, but if that new owner is not a technology type of person or does not know about apps then it will stay on the previous owners account," Howard pointed out.
He added that BMW's approach relies on everyone following the car maker's guidelines, a common criticism among several drivers we've spoken to about the topic.
Beep Mercs the spot...
Owners of other brands of connected car are also affected by much the same issue. Chris Rogers, a US-based hacker and transportation security expert, told The Reg it took a call to Mercedes-Benz to remove the previous owner's info from a recently acquired second-hand S550.
We've also heard of someone who sold his previous car through a main dealer in the Netherlands more than a year ago but still has remote control over it, as previously reported.
Our initial article prompted further examples from Reg commenters.
"HWwiz" told us the JLR issue also affected newer Mercedes from approximately 2014 onward.
"If the last owner does not log in online and remove the car from their Mercedes Me account, then they can continue to remotely monitor the car, lock / unlock doors, etc," our contact said.
"Non-Mercedes dealers have no control over this, whereas main dealers can terminate the accounts during re-sale."
In a statement, MB placed the onus on previous owners to un-register themselves when connected cars are re-sold.
Since Mercedes-Benz is not always aware that the vehicle is sold we cannot proactively deregister the vehicle from the Mercedes me account. The new owner always has the ability to visit an official Mercedes-Benz dealership to have the vehicle deregistered and registered to his own account.
The issue of who controls the data on connected cars is a topic that also affects drivers of mainstream motors as well as luxury brands. Volvo, Nissan and possibly other brands such as Renault also seem to be affected.
Reg commenter "clhking" told us: "Our Volvo bought from a Volvo dealership was not unbound. But the subscription to Volvo On Call [had] expired. So the previous owner would have had to pay to retain access to our car. When I called to activate our account the VIN (vehicle identification number) was still bound to the previous owner."
The Register asked Volvo if it had anything to say about the implied criticism that its procedure for selling on connected cars fails to block access to sensitive information and controls from previous owners. The car maker, which offered to help our reader, said that app unbinding was part of its resale process.
The comprehensive process covered under the Volvo Selekt approved used car programme does include a check that the previous owner has deactivated their links to the car.
UK infosec researcher Scott Helme told El Reg that he could access his Nissan Leaf connected car "for months" after he sold it on.
It's like selling your phone
Used connected cars need disconnecting, as UK government cyber assurance agency NCSC pointed out after our initial report. Consumers have got used to the idea of factory resetting their smartphone before selling it on. Cleaning out a car before resale is a well-understood practice but this applies only to the contents of a glove box and not to the data a connected car holds, which can include sensitive travel movements, other information and more.
"Users are also familiar with the concept of a phone having and storing personal data [but] not with a car," Helme told El Reg.
Other security researchers we've spoken to faulted car makers for failing to think the issue through when they rolled out the technology. The problem is not as simple as it might appear. One solution, such as having a button inside held for 10 seconds to disassociate the old owner from the system, for example, could inadvertently help car thieves.
One Reg reader, "macjules", said Tesla had come up with an example others might want to follow. "All they need is a functionality similar to Tesla. Go to Backup and Reset and select Factory Data Reset. Car is completely reset and new user can register."
El Reg attempted to confirm with Tesla that this was how its system worked but we've yet to hear back. Security consultants with experience in connected cars expressed interest in the approach without endorsing it.
Although most respondents were critical of car makers in general, one reader countered that calls for automated connected car disassociation-on-sale functionality were unfair to car makers such as JLR.
"LeeE" said: "This is an unreasonable demand to make of JLR because any such automatic bullet-proof method would be dependent upon a similarly bullet-proof system/process whereby JLR is informed of the sale of any of their vehicles, including private sales."
In general, problems arise when the seller of the vehicle fails to un-register their old account/vehicle association when they sell it. The situation is further complicated by the fact that it may not be the most recent seller but someone a few owners back that needs to have their access curtailed.
"It is the responsibility of the previous customer to disconnect and owners of cars with this tech will need to get used to checking their purchase has indeed been disconnected," as one anonymous (coward) comment put it.
Car makers typically run the apps and manage the servers through which connected car services are delivered, making them "data controllers" under the General Data Protection Regulation. They are certainly data processors because they process personal information about owners and drivers of their cars. This could come to present legal peril for JLR and others.
Specialist IT solicitor Dai Davis has told El Reg that Jaguar Land Rover may run into GDPR regulatory issues over its role in the data held by connected cars and their resale. The same legal reasoning would apply to other car makers following the same practices.
It could be that the telematics service platform (TSP) providers are at minimum partially culpable. "The TSP providers behind it all haven't really figured out the problem properly," one leading security consultant told El Reg. TSP firms such as CloudCar (strategic partner to JLR in the development of cloud-based infotainment), Kuantic and Harman (the Samsung-owned infotainment and connected car partner of BMW) work with a variety of car makers.
El Reg asked CloudCar and Harman to comment on whether they might be doing more to resolve the present situation around the sale of connected cars. We'll update this story as and when we hear more.
At the suggestion of Volvo we also contacted the SMMT (The Society of Motor Manufacturers and Traders, a UK auto industry trade body) for comment. SMMT argued that although car makers have a responsibility for data processing, consumers also have a role to play by getting into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.
Mike Hawes, SMMT chief executive, said: "Car manufacturers take privacy extremely seriously and customer consent underpins all personal data processing. While industry is committed to upholding a high level of customer data protection, including proportionate use of data, modern cars need to be treated the same as other connected devices.
"Owners should remove their digital information, and disable any associated online account, before selling a vehicle to another keeper. Personal data, including apps and paired mobile phones, can be removed from cars according to individual manufacturer instructions, giving peace of mind to motorists."
That approach may seem fair enough but it still throws up problems. For example, commenter "andymcp" reports getting test messages about a car he'd sold on even though he'd disassociated his mobile from the motor and uninstalled the app.
"Having been through the process of unlinking a car during a private sale (not JLR), even if the app has an 'end ownership' option, it also likely comes with an in-car registration that's entirely separate," he explained. "Hence you still get phone calls when the new owner sets the alarm off. Or reinstall the app after getting an alarm notification call to find it's been happily collecting data attributed to you for months. Or have a few buttons that offer you the chance to remote unlock, remote start, remotely activate the alarm, send destinations..."
Is it realistic to expect buyers of second-hand cars to know if the car has been connected? The response from the car industry has been to put the onus on the previous owner to delete data while minimising the role of auto manufacturers to come up with a well thought through process and for dealers to enforce it.
"When I buy a car, I want to be able to make sure MYSELF it is no longer accessible to previous owners, not rely on their goodwill or attention to detail," IT worker Mike Walters told El Reg, summarising the feelings of many drivers we've spoken to about the issue.
- Cloud Network Engineer
- Up to £35,000 Base + Bonus + Possible Share Options
One of our clients, an exciting UK based start-up is on the lookout for a Cloud Network Engineer in Yorkshire. The Cloud Network Engineer will need current CCNA / CCNP level networking experience (Cisco, BGP, IP etc.), cloud networking understanding (Azure, AWS etc.) and current experience ideally within a client facing / consultancy role. (Cloud Engineer, Network Engineer, Azure, AWS, Amazon Web Services) Reference Number: PG7477
- Senior Service Desk Analyst
- Up to £32,000 Base + £6,400 Shift Allowance
We are currently working on behalf of an IT Service Provider based in Wiltshire who are on the lookout for a Senior Service Desk Analyst. The Senior Service Desk Analyst will be responsible for logging, managing and escalating internal & external incidents and requests. This is an excellent opportunity to join a business recognised for what they do and work with a number of top UK businesses. You’ll be able to manage your career development and gain additional training e.g. certifications etc. This role will include a shift (4 days on then 4 days off) which covers 24/7 12 hour shifts The ideal candidate will be currently working in a IT service desk / IT support role ideally in an IT Services business. Reference Number: PG7476 (Service Desk Administrator, Analyst, Support, Service Desk Support, shift work, traning, Information Technology, Customer service, Customer support)
- Data Centre Service Delivery Manager
- Up to £50,000 + Package
A Data Centre Service Delivery Manager is needed to join a specialist connectivity provider in Hertfordshire. The company is going through a huge growth programme and this is an excellent opening for someone to join a business who are working with globally recognised organisations. You’ll be responsible for: Supporting the Commercial Director with management of existing and potential customers being the main point of contact. Maintaining and improving the company’s current and new services Customer relationship management Attending customer meetings in order to provide guidance to customers Keeping up a high quality level of service Updating appropriate documentation such as policy and procedures and making sure these are in place and followed Change and Incident management Service Level Agreements Experience required Must have current experience working in a Data centre environment in a Service Delivery role. An understanding of Data Centre technology and terminology. Experience of dealing with people of all levels within a business (Engineers to Board level) In return you'll have the ability to work in a cutting edge environment and work with a variety of well known international clients REF: PG7475
- Data Centre Account Director
- Up to £80.000 base with uncapped commission
Our client is looking for a Data Centre Account Director, the goal of this position is to be a trusted partner / primary point of contact and to achieve sales and margin expectations. You will also be growing new business and long-term growth across data centre services, Building good customer relationship at all levels for revenue growth and customer retention Working with presales specialists to propose relevant and cost effective data centre solutions for customers Understanding and identifying customers’ needs Leading bids, RFPs and proposals submissions Driving new business 60% of your time to new hyperscalers or enteprise customers. The ideal candidate should possess 5 years’ experience in selling Data Centre services. Self-driven, energetic, resourceful, creative and good account management skills and new business skills Ability to build good customer relationship at all levels, Be able to work independently. Reference Number: BD7467 (Data Centre, Data Center, Data Centre Sales, Data Center Sales)