Used cars offer cost savings over their new counterparts and often let you get behind the wheel of something you otherwise couldn’t afford. There are warranties to give you peace of mind about buying what someone else cast aside, but now there’s something new to worry about when you buy used. The old owner may still be able to access your car through its technology.
Our cars are now mobile computers with infotainment systems that keep us connected at all times. They know our favorite apps, access our email, and even have all our smartphone contacts downloaded and ready for calls. There are also mobile apps that allow access to your car so you can do things like lock and unlock the doors, use remote start, and set the horn honking so you can find your car in a crowded parking lot. That is where the problem hides.
It’s easy enough to unpair your phone from your car and erase the phone book. Even if this was somehow forgotten when a used car was handed over, it’s something anyone can do right from their infotainment screen in a matter of minutes. Peforming this factory reset removes evidence of the last owner on the car itself, but it does nothing to remove their remote access.
IBM researcher Charles Henderson, who is in charge of their security testing group, X-Force Red, uncovered the problem when he sold his car. He sold his car a few years ago, but he can still control it from his phone.
This isn’t just a one-off situation that someone managed to happen with Henderson’s car. He tested four major automakers, which he did not name, and found each had apps that allowed previous owners to access their old cars from mobile devices.
Now that you’re reconsidering that used car over fear of the old owner taking control, here’s the solution. According to Henderson, the dealership can see who has access to your car and remove someone from the app. Make a stop by your factory-authorized dealer and they can help ensure you and only you have access to your car.
This seems like something automakers should make more automatic rather than requiring a trip to the dealership and the knowledge that a factory reset doesn’t do the full job in the first place. Their reason for not making it easier is the potential for abuse.
If a factory reset wiped out everything, then a valet could revoke access to your car. There’s also the possibility of honest user error that could do the same thing.
Wiping all that information is about as likely as accidentally un-pairing your phone. It could happen, but it’s not the end of the world to repair your device and far less of a concern than the possibility of a stranger accessing your car.
In the meantime, if you buy a used car, consider a quick run to the dealership to ensure only your devices have mobile access.