Connected Car Data Handover Headache: There's No Quick Fix... and It's NOT Just Land Rovers
Who has the keys to your car?
The perils of previous owners retaining unfettered access to the data and controls of connected cars after resale is a wider problem across the industry, The Register has discovered.
We have confirmed that BMW, Mercedes-Benz and Nissan may all have much the same issue as Jaguar Land Rover, the focus of our recent article on the topic.
Reg reader Howard B told us that BMW showed indifference when he pointed out that he was still connected to one of its vehicles even after he sold it on.
"I was still able to unlock and lock a previous vehicle I had owned, flash the lights, start the ventilation, etc, and see where the car was parked," Howard told us. "Dealers should be making sure that the car is registered to a connected app account in their name so that the vehicle is no longer on a private individuals account."
Howard B said he was able to access this data for "at least" six months after the vehicle was sold on, and noted that if he'd been of a dishonest nature he could have used the information for dastardly means.
The car is now connected to another person's drive account but Howard said when he raised the concerns with BMW Connected services and the dealership, "they weren't interested".
In response to an El Reg query, BMW offered an explanation of its connected car procedures. Drivers selling on internet-enabled BMWs should disconnect themselves from the car before a sale. This will happen anyway once the new owner hooks up to with a BMW account, the car maker said.
The customer need[s] to delete the mapped profile online at the ConnectedDrive account. Customers can delete the mapping via the Head-Unit and get a notification to delete the data online at the ConnectedDrive account as well.
Once a customer connects the car with a new ConnectedDrive account, all previous connections will be deleted.
New BMW owners are in a better position than newly minted Jaguar Land Rover owners, who are unable to evict the previous owners from access to the data and controls of connected cars simply by connecting themselves. Unlike BMW's situation, dealer action is needed in the case of JLR. Our tipster is nonetheless dissatisfied with BMW's approach.
"The vehicle is deleted from a previous owner's connected drive account when a new owner adds the vehicle to their account, but if that new owner is not a technology type of person or does not know about apps then it will stay on the previous owners account," Howard pointed out.
He added that BMW's approach relies on everyone following the car maker's guidelines, a common criticism among several drivers we've spoken to about the topic.
Beep Mercs the spot...
Owners of other brands of connected car are also affected by much the same issue. Chris Rogers, a US-based hacker and transportation security expert, told The Reg it took a call to Mercedes-Benz to remove the previous owner's info from a recently acquired second-hand S550.
We've also heard of someone who sold his previous car through a main dealer in the Netherlands more than a year ago but still has remote control over it, as previously reported.
Our initial article prompted further examples from Reg commenters.
"HWwiz" told us the JLR issue also affected newer Mercedes from approximately 2014 onward.
"If the last owner does not log in online and remove the car from their Mercedes Me account, then they can continue to remotely monitor the car, lock / unlock doors, etc," our contact said.
"Non-Mercedes dealers have no control over this, whereas main dealers can terminate the accounts during re-sale."
In a statement, MB placed the onus on previous owners to un-register themselves when connected cars are re-sold.
Since Mercedes-Benz is not always aware that the vehicle is sold we cannot proactively deregister the vehicle from the Mercedes me account. The new owner always has the ability to visit an official Mercedes-Benz dealership to have the vehicle deregistered and registered to his own account.
The issue of who controls the data on connected cars is a topic that also affects drivers of mainstream motors as well as luxury brands. Volvo, Nissan and possibly other brands such as Renault also seem to be affected.
Reg commenter "clhking" told us: "Our Volvo bought from a Volvo dealership was not unbound. But the subscription to Volvo On Call [had] expired. So the previous owner would have had to pay to retain access to our car. When I called to activate our account the VIN (vehicle identification number) was still bound to the previous owner."
The Register asked Volvo if it had anything to say about the implied criticism that its procedure for selling on connected cars fails to block access to sensitive information and controls from previous owners. The car maker, which offered to help our reader, said that app unbinding was part of its resale process.
The comprehensive process covered under the Volvo Selekt approved used car programme does include a check that the previous owner has deactivated their links to the car.
UK infosec researcher Scott Helme told El Reg that he could access his Nissan Leaf connected car "for months" after he sold it on.
It's like selling your phone
Used connected cars need disconnecting, as UK government cyber assurance agency NCSC pointed out after our initial report. Consumers have got used to the idea of factory resetting their smartphone before selling it on. Cleaning out a car before resale is a well-understood practice but this applies only to the contents of a glove box and not to the data a connected car holds, which can include sensitive travel movements, other information and more.
"Users are also familiar with the concept of a phone having and storing personal data [but] not with a car," Helme told El Reg.
Other security researchers we've spoken to faulted car makers for failing to think the issue through when they rolled out the technology. The problem is not as simple as it might appear. One solution, such as having a button inside held for 10 seconds to disassociate the old owner from the system, for example, could inadvertently help car thieves.
One Reg reader, "macjules", said Tesla had come up with an example others might want to follow. "All they need is a functionality similar to Tesla. Go to Backup and Reset and select Factory Data Reset. Car is completely reset and new user can register."
El Reg attempted to confirm with Tesla that this was how its system worked but we've yet to hear back. Security consultants with experience in connected cars expressed interest in the approach without endorsing it.
Although most respondents were critical of car makers in general, one reader countered that calls for automated connected car disassociation-on-sale functionality were unfair to car makers such as JLR.
"LeeE" said: "This is an unreasonable demand to make of JLR because any such automatic bullet-proof method would be dependent upon a similarly bullet-proof system/process whereby JLR is informed of the sale of any of their vehicles, including private sales."
In general, problems arise when the seller of the vehicle fails to un-register their old account/vehicle association when they sell it. The situation is further complicated by the fact that it may not be the most recent seller but someone a few owners back that needs to have their access curtailed.
"It is the responsibility of the previous customer to disconnect and owners of cars with this tech will need to get used to checking their purchase has indeed been disconnected," as one anonymous (coward) comment put it.
Car makers typically run the apps and manage the servers through which connected car services are delivered, making them "data controllers" under the General Data Protection Regulation. They are certainly data processors because they process personal information about owners and drivers of their cars. This could come to present legal peril for JLR and others.
Specialist IT solicitor Dai Davis has told El Reg that Jaguar Land Rover may run into GDPR regulatory issues over its role in the data held by connected cars and their resale. The same legal reasoning would apply to other car makers following the same practices.
It could be that the telematics service platform (TSP) providers are at minimum partially culpable. "The TSP providers behind it all haven't really figured out the problem properly," one leading security consultant told El Reg. TSP firms such as CloudCar (strategic partner to JLR in the development of cloud-based infotainment), Kuantic and Harman (the Samsung-owned infotainment and connected car partner of BMW) work with a variety of car makers.
El Reg asked CloudCar and Harman to comment on whether they might be doing more to resolve the present situation around the sale of connected cars. We'll update this story as and when we hear more.
At the suggestion of Volvo we also contacted the SMMT (The Society of Motor Manufacturers and Traders, a UK auto industry trade body) for comment. SMMT argued that although car makers have a responsibility for data processing, consumers also have a role to play by getting into the habit of removing their data and dissociating their smartphones when they sell on their connected cars.
Mike Hawes, SMMT chief executive, said: "Car manufacturers take privacy extremely seriously and customer consent underpins all personal data processing. While industry is committed to upholding a high level of customer data protection, including proportionate use of data, modern cars need to be treated the same as other connected devices.
"Owners should remove their digital information, and disable any associated online account, before selling a vehicle to another keeper. Personal data, including apps and paired mobile phones, can be removed from cars according to individual manufacturer instructions, giving peace of mind to motorists."
That approach may seem fair enough but it still throws up problems. For example, commenter "andymcp" reports getting test messages about a car he'd sold on even though he'd disassociated his mobile from the motor and uninstalled the app.
"Having been through the process of unlinking a car during a private sale (not JLR), even if the app has an 'end ownership' option, it also likely comes with an in-car registration that's entirely separate," he explained. "Hence you still get phone calls when the new owner sets the alarm off. Or reinstall the app after getting an alarm notification call to find it's been happily collecting data attributed to you for months. Or have a few buttons that offer you the chance to remote unlock, remote start, remotely activate the alarm, send destinations..."
Is it realistic to expect buyers of second-hand cars to know if the car has been connected? The response from the car industry has been to put the onus on the previous owner to delete data while minimising the role of auto manufacturers to come up with a well thought through process and for dealers to enforce it.
"When I buy a car, I want to be able to make sure MYSELF it is no longer accessible to previous owners, not rely on their goodwill or attention to detail," IT worker Mike Walters told El Reg, summarising the feelings of many drivers we've spoken to about the issue.
- Information Security Risk Consultant, HMG, Public sector
A Public Sector Information Security Risk Consultant is needed for a long term project in the Yorkshire area. This is a Security consultancy role so travel to other client site locations across the country will be expected. The Public Sector Information Security Risk Consultant MUST have current security clearance and ideally have a breath of information and technology security experience. Broad knowledge across IT transformation, Cloud is also key. Public Sector Information Security Risk Consultant should be versed in working within the public sector HMG environments and be experienced in conducting security risk assessments on sizable IT systems. Broad experience across GRC, ISO27001, NIST is key. Career progression, personal development and excellent training provided. All details kept in the strictest of confidence Salary: £55,000 Location: Yorkshire Ref: GM7720 (Cyber Security Jobs, Information Security Jobs, IT Security Jobs, Cyber Security Jobs in Yorkshire)
- Greenfield opportunity SOC / Threat Hunting Services Lead
- £85,000+ Base
Exclusive Greenfield opportunity to DCL Search & Selection. We are looking for an experienced SOC / Threat Hunting Services Lead to build a NEW Security Operation Centre (SOC) / Threat hunting service within an existing security consultancy. This is a brand new service offering for the client. The successful SOC / Threat Hunting Services Lead must, therefore, have previous experience in building a SOC / Threat hunting (IR) service from the beginning. Everything including, but not limited to; selection of the systems, platforms, kitting out the physical office space. Customisation, setting the policies, playbooks, go to market collateral, recruitment (through DCL obviously) establish processes, management of the team, service delivery, refinement, development etc. Essentially the end to end creation of the capability and then the day to day management and expansion of the service. An in-depth technical background is essential, experience across SOC SIEM/ Threat Hunting (IR) tools, processes, techniques, operational etc The goal is to create, spin up and deliver a SOC/threat hunting (IR) offering to clients ASAP in 2020. Investment and board sign off approved. Apply today for more information or contact me directly on Chris.Holt@dclsearch.com or 07884666351. Candidates must be UK based and commutable to Bracknell. Sponsorship can not be provided to Non-EU Candidates. Ref CH7713 £85,000+ Base
- IT Managed Services Account Director
- Up to £80,000 + Double OTE
IT Managed Services Account Director We are currently working with a growing multi managed service provider who specialises in Cloud & Connectivity services who are currently looking for an IT Managed Services Account Director in London. The IT Managed Services Account Director will be responsible for selling (Increase revenue, develop pipeline etc.) into our client’s current enterprise customers selling public cloud solutions. The IT Managed Services Account Director should have Current experience selling public cloud solutions (preferably Microsoft Azure) into enterprise customers. Currently working for an IT managed services business Commutable to London, Home working is available (Non-EU candidates are not able to be sponsored). Consistent tenure in current and previous positions. Ref BD7703 Salary: Up to £80,000 + Double OTE (Cloud Jobs, Cloud Computing Jobs, Cloud Sales Jobs, Azure Jobs)
- Service Delivery Lead (Data Centre)
- Up to £60,000 Base
A State of the Art Data Centre business are looking for a Service Delivery Lead-in Wiltshire. The Service Delivery Lead will be responsible for maintaining and improving current services to our client's customers. The Service Delivery Lead will also be responsible for a service desk team (reviews, hiring, training etc.) Other responsibilities include: Acting as a senior point of escalation for any customer incidents making sure these are raised quickly and efficiently Root cause analysis Maintain and improve ITIL disciplines Experience required ITIL v3 Certified Current experience within a Data Centre / Data Center Environment Current experience within a Senior Service Desk role. Candidates must be UK based. Sponsorship is not available for Non-EU candidates. Ref BD7701 Up to £60,000 Base (Data Centre Jobs, Data Center Jobs, Service Delivery Jobs)