Would you like to buy an unlocked smartphone full of personal information?
Recently, I had the chance to see a presentation by privacy and cybersecurity advocate Andrea Amico, who specializes in information security (infosec) as it relates to automobiles. The presentation stuck with me—Andrea is a great presenter and an enthusiastic expert in the field— but that was not the reason it was so memorable. His presentation struck me as the tip of the iceberg of a subject that I don’t think is top of mind with enough consumers or professionals in the business of automotive sales and remarketing. Hopefully, this column will help get the word out on what I see as an issue that is likely to become increasingly important in the years ahead: infosec for vehicles.
Your car is a very personal item. It’s a faithful companion as we navigate our way each day through the world. As a result, cars know a great deal about the people who drive them. If you have ever connected your mobile device to your vehicle via Bluetooth, your car may know addresses of places you have visited, the phone numbers you have dialed, the text messages you have received, where you live and your garage door code.
Alarming? It should be. That’s a lot of personally identifiable information (PII) to potentially freely pass along to the next person who owns that car. Today, in many cases that is precisely what’s happening. Modern cars’ infotainment systems are just like smartphones, but when it comes to changing hands, they are often not treated the same way.
All this potentially sensitive information exists inside the infotainment systems and will often stay there unless someone makes an active effort to remove it before changing owners. If you were getting ready to sell an old smartphone or recycle it as a gift to a family member, most likely you are going to delete any personal information off the phone or perform a “factory reset” to wipe the phone clean before handing it to the next person.
Do you do the same when you sell your car? Amico knows that many of us don’t! “Vehicles are the largest IoT devices that most consumers will ever own, and yet most consumers remain unaware that once they connect their smartphone to their vehicle’s infotainment system they may be sharing with the vehicle—and potentially all of its future owners—the personal information they would try so hard to erase if they were to return an old smartphone to a mobile telecom store,” he said.
Some who are technically savvy may be thinking, yes that information is there, but it’s only accessible when my phone is connected, so it’s a non-issue. Well, that is not the case. In Amico’s presentation he discussed that earlier this year while researching for the development of his Privacy4Cars app, he discovered an alarming vulnerability in the Bluetooth protocols adopted by many infotainment systems. The vehicle hack exploits infotainment systems of several vehicle manufacturers via the Bluetooth protocol to expose the stored personal information of the previous vehicle users. The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge.
Examples he provided during his presentation were quite chilling. Amico showed a video where, car after car after car, he could get around the Bluetooth security and gain access to stored contacts, call logs, text logs, and in some cases even full text messages without the vehicle’s owner/user being aware. He did all this without the user’s mobile device connected to the system.
In one example, he was able to determine where the principal driver lived and worked, who they were, where their kids went to school and playdates, and that they were getting medical treatments at a specific facility. “When an individual leaves PII behind in a vehicle’s infotainment system they are potentially exposing information that, when pieced together, could be quite dangerous if it were to fall into the wrong person’s hands,” he added.
The automotive professionals reading this can ask themselves if their organizations have a responsibility to help protect consumers from disclosure of personal information. Whose responsibility is it to remove this information? Should you be “wiping” cars that are passing through your hands? Should you be deleting the electronic PII as a buyer or as a seller or when handing a lease end return or a total loss vehicle?
The Canadian Privacy commissioner was already very critical of Staples not wiping customer data off of used computers over ten years ago. So in my layman’s opinion (I’m not a lawyer) not erasing a client’s data from a car being resold could lead to similar criticism, bad publicity for your organization and potential penalties from regulators.
There are resources to help with the wiping process, making it very easy. Of course, the owner’s manual of most vehicles can help point you in the direction of how to unpair phones and reset systems. If you are dealing with high volumes of vehicles and many models, there is an app available for smartphones called Privacy4Cars, created by Amico, which walks you through the process of deleting sensitive data from hundreds of different makes and models.
The app is free for consumers to use, but there is a fee for businesses. Consider protecting yourself from your personally identifiable information being misused, and protect your business from the possible legal consequences of not offering the same protection to your customers. More information on this subject can be found at Privacy4cars.com.