A survey found that nearly four-fifths of drivers had failed to remove their data from their vehicles before selling them.
In a study involving over 14,000 drivers who had sold their car in the past two years, testing and review provider Which? found that more than half (54%) of respondents had synced their phone to their car via Bluetooth or a USB cable.
Pairing their phone with their car enabled drivers to take their music on the road, receive traffic information while in the car and/or make calls via Bluetooth.
The problem is that many of these drivers didn’t take the necessary precautions to protect themselves when it came time to sell their vehicles.
Of the drivers who originally synced their phones, about half (51%) failed to decouple their phones from their cars before they sold it. Slightly less than that (31%) took no action to remove their shared personal information.
Overall, 79% of drivers didn’t follow their vehicle’s manual by removing their information and returning the car to its factory settings. This made it possible for future owners of the car to view previous owners’ stored GPS locations, personal messages and contacts, among other data.
I recently spoke to The Scotsman about how these findings constituted a worrying trend for drivers’ personal digital security. Specifically, I said the following:
“When selling a car, we’re usually quick to remove our possessions – whether that’s CDs, a roof rack, or personalised seat covers. However, many of us are failing to remove our more ‘invisible’ possessions, and with cars becoming increasingly connected, they are swiftly becoming a hotbed for potentially lucrative sensitive data, including addresses, recent calls, and birthdays.”
Cars are increasingly becoming connected. As reported by Daily Mail, comparison website uSwitch found that 67% of UK vehicles were synced to a smartphone, app and/or home hub. The site predicted that this rate would increase to an alarming 100% by 2026.
Connected cars don’t just pose a risk to previous owners, either.
In its survey, Which? found that one in eight drivers had downloaded an app for their vehicle while they still owned it. This app enabled them to track their car’s location, unlock the doors and/or manipulate the car’s engine.
When it came time to sell their car, however, just half of those who had downloaded a car-syncing app had deleted it from their smart phone. This made it possible for a previous owner to easily track the location of and/or interact with the vehicle even after they sold it.
Acknowledging these risks, I recommend car owners abide by three tips when selling their vehicles:
- Review the manual for how they can completely erase or delete their data from their car.
- Log out of any apps/accounts they might have connected to the vehicle and ensure that their information is no longer available via the car.
- Remove all CDs, USB sticks or other physical media devices that might contain their personal data from the vehicle before selling it.
Drivers can only do so much to safeguard whatever information they’ve connected to their vehicles. Harry Rose, editor of Which? Magazine, told Daily Mail that car manufacturers must also play a part:
“Manufacturers must do much more to prioritise customers’ personal privacy so that drivers fully understand how much data their vehicle could be harbouring and how to delete this information in order to eradicate these risks.”
They must specifically make an effort to understand how a connected car architecture should securely manage operating systems and data. As part of this process, they need to be sure that the complete supply chain is taking the data security of a future driver in mind.
For that purpose, auto manufacturers should ensure that their connected cars are operating within secure frameworks that make it possible to deploy firmware updates remotely. They can also prevent device and cloud identities from being compromised by deploying an embedded Secure Element in conjunction with a trusted access management service solution and HSM technology.
Finally, the automotive industry should enforce the use of 2FA and public key infrastructure on all connected cars to further protect drivers’ data.
If these tips aren’t followed, malicious actors will have every opportunity to drive off with users’ personal data, leaving them in the dust.