The Privacy Threat in Your Used Car

Buying a used car with fancy digital features? The former owner may still have remote access—and the same goes for the connected hub in your new smart home, too.

Used Smart Cars Getty

When Charles Henderson traded in his beloved convertible four years ago, the dealer made sure to collect the car keys, but he couldn't take away Henderson's digital access.

A security expert at IBM, Henderson knew to protect his private data, so before he waved goodbye to the car, he deleted his personal information from the built-in digital systems that guided him home via GPS, opened his garage door, and dialed up the friends in his phone book. The dealership also double-checked to confirm that he had made many of these moves, he says.

But Henderson later noticed that his old car remained listed—next to his new vehicle—on the smartphone app he used to control it (his new car was from the same manufacturer as his previous one). If he wanted, he could still remotely unlock the doors, find the car's exact location, and control the heat and air conditioning. He figured his access eventually would be cut off, but years passed and nothing happened.

“If I was so inclined, I could have a lot of fun with the new owners of this car,” he said during a presentation at the RSA security conference in San Francisco in February.

Henderson, an expert in information technology security, will not reveal the exact make and model of his "post-2008" convertible. He says that the problem spreads well beyond that one automaker and that he and his team of IBM researchers have found three more vehicles from different manufacturers that have the same problem. That amounts to a “catastrophic failure,” he says.

This type of threat is not confined to just cars. It also might put at risk the millions of connected door locks, thermostats, lighting systems, and other "smart home" products installed in residences for sale in the U.S.

“There’s no software you can buy that wipes your car, and there’s no reset button anywhere in your house,” Henderson says. “And that’s a problem.”

Henderson's appearance in San Francisco was the latest stop in a storied career that has earned him speaking engagements worldwide. A 20-year veteran of IT security, he currently serves as global head of IBM's X-Force Red, which helps companies unearth vulnerabilities in computer networks, hardware, and software applications.

In recent years, the Internet of Things (IoT) apps that grant easy access and convenience have soared in popularity. Gartner, a technology research firm, projects that sales of consumer IoT items will reach 5.24 billion units this year, up from 3.96 billion in 2016. And a big chunk of that increase will come from auto-related products, with estimated 2017 sales of 833 million units.

The companies that make these products don't have much incentive to safeguard second- or even third-generation owners, Henderson adds, especially if they're not making any money from them. And yet, according to a recent CR Consumer Voices survey, 65 percent of Americans lack confidence that their personal information is private and safe from distribution without their knowledge.

In the past year, Consumer Reports has teamed with privacy and security experts to start developing a digital standard that can be applied to such products as they're being designed and evaluated. Among other things, it calls on companies to delete consumer data from their servers upon request, to protect users' private information with encryption, and to be completely transparent about how that info is shared with other companies.

For the moment, though, those are simply suggestions. Without buy-in from those in the IoT industry, consumers must fend for themselves.

According to a recent Consumer Reports survey,

65% of Americans lack confidence their personal info is secure.

Disconnecting the Connected Car

A factory reset is supposed to erase all personal data from a digital device, whether it's a phone, a laptop, or the digital system in a car, returning it to its original state. And when you buy a car, you might expect that the factory reset would break the connection between the vehicle, the former owner's account with the car, and the former owner's phone.

But that's not necessarily true. Henderson says this is a problem waiting to be solved. “Just like you clean out a car, steam clean the carpets, apply some air fresheners to give it that new car smell, we need to digitally clean out a car before it’s sold, too,” he argues.

Automakers have made changes. Since Henderson first noticed the problem on his app, some have at least limited vehicle geolocation to 1 mile, making it more difficult to locate an auto from a few states away.

In the 1990s, before cars had smartphone apps, General Motors created a digital service called OnStar that automatically summoned help in the event of a crash. In time, it expanded to include smartphone app features. Now a leading provider of such features, OnStar says its user agreement compels users to notify the company if they sell a vehicle. Once they do, they're no longer able to connect to the car through a mobile app.

If they fail to report the sale, in-vehicle messages will alert the new owner that someone else has access and advise them to contact OnStar to have the old connection terminated.

How does OnStar know there's a new owner? It regularly cross references used-car sales data from dealers and reputable third-party sources to make sure recently sold vehicles don't slip through the cracks.

Automotive dealers are aware of the problem Henderson raised, and they're pushing for solutions, says Brad Miller, director of legal affairs for the National Automobile Dealers Association. These fixes could involve new software in vehicles, granting dealers more access to carmakers' servers, or at least a robust consumer education program.

Once a vehicle is sold by the original owner, the relationship between the car and the manufacturer tends to end. It's often up to the dealer to manage access issues. But dealers have no real connection to the people who operate the data servers.

The NADA has joined with the Future of Privacy Forum, a nonprofit advocacy group, to create a consumer’s guide to connected-car technologies, which offers a checklist for those interested in selling vehicles. It includes tips for erasing phone books, clearing out built-in hard drives and navigation systems, and resetting garage door openers.

The checklist doesn't address the cloud-related problem Henderson uncovered, Miller says, but it’s a good starting point for consumers who are concerned about privacy, he said.

Are you concerned about digital privacy?

Check out Consumer Reports' new digital standard.

Not So 'Smart' Homes?

Connected cars are clearly not the only problem. Smart homes pose a similar risk, Henderson says. He pointed to the case of another IBM security researcher, who was shocked to find that the previous owner of a smart-home hub he'd purchased still had remote access to it—as well as any webcam, burglar alarm, or door lock that might be connected to the hub. (Many smart devices work by connecting wirelessly to a hub, which in turn connects to the internet and provides remote access.)

Simply performing a factory reset wasn't enough to resolve the problem. So Henderson's colleague called the hub's manufacturer for help. The company revoked the old owner's access—along with that of another unidentified device.

The diversity of smart-home technology, which includes everything from light switches to refrigerators, makes it tough for sellers to keep track of such items and for buyers to spot them when they move in. For instance, smart lightbulbs often look just like regular ones, and they will work whether or not you utilize their connected features, Henderson says.

And although much of a home’s tech may be connected to a hub such as an Amazon Echo or Apple HomeKit system, other smart products may be incompatible and, as a result, go unnoticed.

Until recently, it has been up to homebuyers to do the detective work and find out which IoT items may reside in their new domiciles. But with more preowned smart homes hitting the market, real estate agents are ramping up efforts to educate consumers about potential privacy hazards.

Chad Curry, who heads the National Association of Realtors’ technology center, says the focus needs to be on buyer education until someone comes up with a tech-related fix such as an app or computer software that can reset all of a home’s smart devices at once.

“As more and more of these homes come on the market, it’s going to get more and more complex,” he says.

In the meantime, the Realtor group created a Field Guide to Smart Homes, in part to educate homebuyers about security concerns, though it doesn't cover what to do if you're buying a home that is already filled with connected devices. According to Curry, the Online Trust Alliance’s Consumer IoT Security & Privacy Checklist is another good resource for consumers.

Buyer Beware

Despite reaching out to the maker of his beloved convertible through a back-channel process researchers use to disclose security vulnerabilities, Henderson still has mobile app access to the vehicle—four years after relinquishing ownership.

He lives in Texas. When he last checked, the car was in New York.

He could delete it from the app, but he's holding off to see whether the automaker eventually addresses the problem.

He says a set of consumer-protection standards, whether from the government or industry, is sorely needed to address the problem—or even just some simple, voluntary fixes from industry.

For connected autos, a video tutorial showing how to perform a factory reset could be helpful, he says. In the case of smart homes, sellers could be required to give buyers a list of connected devices. Or maybe that sort of inquiry can be part of the home inspection process.

“If you have a home inspector look for termites," Henderson says, "why can’t they look for Internet of Things devices, too?”

Bree Fowler

Bree Fowler

I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).