Selling or renting a vehicle? Be aware of the privacy risk in your infotainment systems

The infotainment systems in modern vehicles contain reams of data.

Most people understand the privacy risks when selling or disposing of a personal computer or cellphone. The same awareness, however, doesn’t seem to be translating to the vehicles we drive when it comes time to trade them in for a new model.

“I should perceive selling my car like I was selling my laptop,” says Mahesh Tripunitara, a professor of electrical and computer engineering at the University of Waterloo. “That is really the right way to do it, because that is what a car is.”

According to a 2019 study by McKinsey and Co., cars today can collect up to 25 gigabytes of data an hour. The information could include location, speed and other vehicle dynamics, or even what channels you listen to on SiriusXM radio. It’s all collected by the manufacturers and, depending on the vehicle’s in-car entertainment and navigation system, some of that information is shared with third parties.

Your car also collects personal information in other ways. If you sync your phone with your infotainment system, your contact list, texts, phone calls, photos and even internet passwords will live on in its memory. Your in-car GPS will record addresses and routes. And without proper steps taken, your personal data will be accessible to car thieves or, perhaps more innocuously, the next owners if and when you sell your vehicle.

Tripunitara says that there is a real danger in private information, such as addresses or credit card numbers, being used for nefarious purposes. And all because the owner forgot about it, didn’t know or just didn’t care.

“I think most people don’t realize how valuable their data is to somebody else,” he says. “If I told my neighbours that their cars have their home addresses, I suspect most of them wouldn’t care.”

The potential risks were showcased earlier this year in April, when a hacker was able to purchase used Tesla infotainment systems on eBay and obtain sensitive data on their former owners. According to reports, the systems contained home and work locations, saved WiFi passwords, phone-calendar entries and even full call lists from previously paired phones. Tesla is not the only automaker facing these problems.

Bob Elder, the chief executive officer of Teel Technologies Canada, sees this firsthand. Teel is a digital-forensics company that specializes in recovering data from devices for law enforcement or insurance purposes.

“Our company gets these infotainment systems off of eBay or other sources like recyclers, for training purposes,” he says. “And during our research and training, we’re able to see data from multiple cellphones, multiple sources, because they’re not being wiped before they’re sent to a junkyard.”

Infotainment systems have a built-in way to “erase” their memories, which resets them to factory settings and makes them work as if new. How to do this can be found in your user’s manual. But this simply deletes the path, or directory, to the data, which remain on the drive. Home computers can use software to overwrite the data, but that extra precautionary step is not available for cars.

“For layman use, [a reset is] good enough. If you’re really concerned, and you’re worried that someone would have access to the memory, companies like ourselves can do advanced processes to gain access to these … But we’d have to be goal-orientated to go to that level,” Elder says, adding that someone would have to be highly motivated and knowledgeable to do the work necessary to access the data.

A better idea, according to the U.S. Federal Trade Commission, is to also go through the unit’s features manually, such as deleting your contacts list, cancelling or transferring subscription services such as SiriusXM, changing or cancelling your garage-door opener codes if you have them, and even deleting all music or videos yourself. An app called Privacy4Cars can take you step-by-step through the data-deletion process of any modern vehicle.

“If the owner’s cellphone has been synced to the car’s infotainment system, it would be a good idea to destroy any data transferred to the car before selling or disposing of the vehicle,” Elder says.

This problem doesn’t just pertain to your own vehicle, either. Many people oblivious to the threat will think nothing of syncing their phones with a rental car, which can have far greater consequences, considering the number of unknown people who will get in that same car later.

“For the most part, if you’re renting a car and using the GPS, you’ve got nothing to worry about,” Elder says. “If you’re going to McDonald’s or to a hotel, no one knows who you are. It’s when you’re syncing your phone that it gets more personal. You’re exposing your own personal information and other people’s, because your contacts get thrown over, so now you’re exposing all your contacts.”

Tipunitara also places some of the blame on tech companies, the public’s lax attitude toward privacy, and car companies that offer more and more tech-reliant features without sufficient regard to protecting people’s personal data.

He points to the likes of YouTube and Twitter. While they have recently begun policing what appears on their sites, they have in the past avoided that responsibility by referring to themselves as “infrastructure providers, not content providers.”

Ultimately, in the case of your vehicle and its collected information, especially when it comes to the infotainment unit, it’s up to the owner or renter to protect themselves.

“A car maker sells cars; content is not their game,” he says. “It’s not seen as a computer, and they’re not telling you to upload your [personal] data. That’s your problem.”


Author: Neil Vorano