Charles Henderson found he still had smartphone access to his old car even though he’d sold it
Charles Henderson loved his “awesome” convertible, particularly the fact that he could start, lock and unlock it remotely via his mobile phone. But after he sold the vehicle, he was astonished to discover that he could still control it using the associated smartphone app.
“I could have found out where the car was, unlocked it remotely, started it and driven off with it,” he tells the BBC.
Mr Henderson, from Austin, Texas, is global head of X-Force Red, IBM’s offensive security group, so he knows a thing or two about security. He tests companies’ defences, both physical and digital.
So before selling his car back to the dealer he was sure to carry out a factory reset and wipe any personal data from the car’s onboard computer. He didn’t want the new owner getting access to his calendar, contacts and phone records.
He then bought a new connected car made by the same manufacturer and was amazed when his old car still appeared alongside his new car on the app. “These IoT [internet of things] devices are really smart but they’re not smart enough to know that you’ve sold them,” he says.
“I informed the car dealership but they didn’t know how to handle this. So we went to the car manufacturer and it took a while before they took it seriously. They found it really difficult to cut off access.”
The issue of personal data being left behind in devices we rent or own poses a serious risk – hackers could get access to it and use it for blackmail purposes or to steal our money using cloned identities.
“When they rent a car, many drivers sync their phones to the onboard Bluetooth without thinking that the data will stay in the car’s computer. And they won’t even think about clearing it before handing it back,” says Mr Henderson.
“Yet they could be revealing sensitive corporate or private data unwittingly.”
Richard Stiennon is chief strategy officer for Blancco Technology Group, a company that specialises in data erasure. He admits that deleting this data is easier said than done.
“Simply going into a car’s settings and deleting your phone from the list of previously paired Bluetooth devices does not guarantee that this will overwrite the data on the car’s storage device,” Mr Stiennon says.
“It will only prevent casual hackers like the next renter from seeing it. A better option is to overwrite all user data or perform a factory reset – if the vehicle allows it – to ensure the data is 100% erased and cannot be recovered.”
It’s also possible that an infected car could pass on the infection to your phone.
So the next time you hire a connected car it might be worth asking the rental provider what data removal options they provide and whether they can give you written proof that your personal data has been successfully and totally erased.
But how do we know consumers don’t seem that bothered simply because they don’t yet understand the implications?
“What happens when you get ransomware on your car and you can’t drive to work that day?” warns Mr Henderson.