05
Feb 20

When Your Used Car is a Little Too ‘Mobile’

Many modern vehicles let owners use the Internet or a mobile device to control the car’s locks, track location and performance data, and start the engine. But who exactly owns that control is not always clear when these smart cars are sold or leased anew. Here’s the story of one former electric vehicle owner who discovered he could still gain remote, online access to his old automobile years after his lease ended.

Mathew Marulla began leasing a Ford Focus electric vehicle in 2013, but turned the car back in to Ford at the end of his lease in 2016. So Marulla was surprised when he recently received an email from Ford.com stating that the clock in his car was set incorrectly.

Out of curiosity, Marulla decided to check if his old MyFordMobile.com credentials from 2016 still worked. They did, and Marulla was presented with an online dashboard showing the current location of his old ride and its mileage statistics.

The dashboard also allowed him to remotely start the vehicle, as well as lock and unlock its doors.

Mathew Marulla turned in his leased Ford EV to Ford 4 years ago, so he is no longer the legal owner of the car. But he can still remotely track its location and usage, lock and unlock it, and start the engine.

“It was a three-year lease from Ford and I turned it in to Ford four years ago, so Ford definitely knows I am no longer the owner,” Marulla said, noting that the dashboard also included historic records showing where the Focus had been driven in days prior.

“I can track its movements, see where it plugs in,” he said. “Now I know where the current owner likely lives, and if I watch it tomorrow I can probably figure out where he works. I have not been the owner of this vehicle for four years, Ford knows this, yet they took no action whatsoever to remove me as the owner in this application.”

Asked to comment on Marulla’s experience, a spokesperson for Ford said all Ford dealerships are supposed to perform a “master reset” as part of their used car checklist prior to the resale of a vehicle. A master reset (carried out via the vehicle’s SYNC infotainment screen by a customer or dealer) disassociates the vehicle from all current accounts.

“A master reset cleans phone data and removes previous Ford Pass and My Ford Mobile connections,” the company said in a statement released to KrebsOnSecurity. “Once complete, a previous owner will no longer be able to connect to the vehicle when they log in to My Ford Mobile or Ford Pass.”

As Marulla’s experience shows, if you’re in the market for a used car you should probably check whether it’s possible to reset the previous owner’s control and/or information before purchasing it, or at least ask the dealership to help you ensure this gets done once the purchase is made.

And if you’re thinking of selling your car, it’s a good idea to clear your personal data from the vehicle first. As the U.S. Federal Trade Commission advises, some cars have a factory reset option that will return the settings and data to their original state.

“But even after a factory reset, you may still have work to do,” reads an FTC consumer privacy notice from 2018. “For example, your old car may still be connected to subscription services like satellite radio, mobile Wi-Fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle.”

By the way, this issue of de-provisioning is something of a sticky wicket, and it potentially extends well beyond vehicles to a number of other “smart” devices that end up being resold or refurbished. This is doubly so for Internet-connected/capable devices whose design may give the previous owner a modicum of access to or control over the device in question regardless of what steps the new owner takes to limit such access (particularly some types of security cameras).

Tags: , , , ,

55 comments

  1. It is not uncommon for satellite radio to be active when you purchase a used car. Typically the previous owner never canceled. Some people set this up as an auto bill pay so they may continue to pay your subscription for a long time before they figure it out.
    GM required you to purchase a separate subscription for things like lock/unlock and remote start. I am guessing if you continue to pay that you probably have control of your old car until and if the new owner decides he wants that feature and trys to enable it. Factory reset is the only way to drive.

    • It’s not uncommon for a dealer reselling a car to reset the XM radio by doing a 15 minute battery disconnect or pulling the radio fuse.

      Sirius will generally provide 30-90 days free sat service after being notified by a new customer of the radio’s code.

      • Guess what, Paul, disconnecting the car battery for 15 minutes does nothing whatsoever to reset the Sirius subscription.

        If it did, you’d never be able to install a car battery without losing Sirius, and that’s not the case.

  2. The Sunshine State

    That’s all government tracking to watch where to go on a daily basis, because all that location data ends up at that NSA data storage building in Utah This guy just figured out that the data was still be collected, before it was being sent over the 4G network through a fiber cable to the top secret government database.

    Okay I have my tin foil hat on !

    • Well, it’s not very good tool for tracking where you drive if it still thinks that your car is driven by the guy who owned it four years ago.

    • It’s telling that the minds of so many people will inevitably start blaming the government.

      Privacy is dead NOT because of the government, but because of private companies like this. Data is valuable in our capitalist society… and in the end, Orwell was wrong! It wasn’t the government, it was our greed.

      • So Kroger is running that massive spy facility sitting out in the middle of nowhere Utah sucking up all our private communication data? I was sure it was the NSA.

      • Amen to that. People cannot be bothered to safeguard their privacy because they absolutely cannot live without Facebook, Instagram, Whatsapp, etc, etc. and then they have the audacity to blame the government for it. 95% of the population participates voluntarily in constructing what may end up becoming the world’s most powerful repression engine.

  3. I still get Carfax notifications for my old Camry. About two years ago the repair costs exceeded new car payments so I donated it to an animal shelter and bought another car. But I still get to see when it gets its oil changes and maintenance, which is kind of nostalgic, and kind of nice to see that it’s still going (I’d had it for 20 years).

    So that’s yet another scenario – a complete third party (Carfax) has the VIN associated with my email and gets updates on everything that happens to it, like Facebook, then blabs it all to me.

    • And carfax is the outfit that throws away all the repair and maintenance receipts it finds in the car, depriving the next owner of knowing the car’s repair history. They claim it’s “to protect the privacy of the former owner,” and it’s my reason I’d never consider buying a car there.

      • Carfax doesn’t sell cars.

        • I believe he meant “Carmax”.

          I had a similar experience when I bought a vintage car from a dealer. The former owner included all his receipts, maintenance records, and a lot of spare parts. The dealer threw all that away. I suppose they could make a case that they were protecting the identity of the former owner.

          • No, he means Carfax. You can sign up at myCarfax and add any VIN, even for cars you don’t own, and see maintenance done, registration info, oil changes, some vehicle history, etc. Yuo don’t have to be the owner. It’s a good tool when you’re considering buying a pre-owned car. Lexus and Honda also have “owners” websites where you can plug in any VIN and pull detailed maintenance info on any prospective car.

            • carfax collects repair and maintenance receipts …for VIN reports as you said.

              carmax throws away repair and maintenance receipts… as the OP said.

    • Very similar to USPS Informed Delivery.

      I set it up on a PO Box, and months after cancelling and turning in the key, the next owner of the box… I could track her mail.

      *i did cancel informed delivery… but its scary that it remains on that address, even after a move or a change in ownership.

  4. There was an article just the other day where a device, presumed to be a GPS tracker, was dislodged from under the dash somewhere. The owner was asking if it could be disconnected and feared it might immobilise the vehicle if removed.

    Another poster said it was common for lease and finance companies to fit such devices to be able to trace the vehicle if the lessee stopped paying his monthly charge.

  5. I recently bought a new car with all the electronic finery, a first for me. I will definitely keep this info in mind when the time comes to sell. Thank you for sharing this. Very helpful.

  6. Great article, Brian. Going from a “non-connected” 2006 car to a “deeply-connected” 2018 is quite the eye opener. The metrics and information I can collect from my car via my iPhone is quite amazing, while also being very scary.

    If I can collect that data I’m left to wonder who else is collecting it — my insurance company, big brother, Government sponsored data terrorists?

    • It’s hilarious that the minds of so many people inevitably start blaming the government.

      Privacy is dead NOT because of the government, but because of private companies like this. Data is valuable in our capitalist society… and in the end, Orwell was wrong! It wasn’t the government, it was our greed.

      • True. I call Facebook the “Ministry of Togetherness”. Those who don’t submit pictures of themselves and log all interests, activities and love of Big Brother Tech are a “threat to security and our happiness” .

  7. Kenny Blankenship

    I’m just waiting for a story to emerge regarding the stored data for all this information: “{car company} left an exposed database wide-open on the internet containing driver information, GPS coordinates, owner addresses, etc.” All of the data that these phones collect and updates that can be done through them leads me to believe this data is stored somewhere — in a non-secure manner.

    • Before purchasing my next car I sent a query on exactly how they secure user data, and security mechanisms to protect data and control systems in the car. The query is still in the works, and I don’t expect a reply. I told the local sales manager (who is a decent person, one reason I deal with them) that I thought there’d be a standard white paper for customers that ask. He said I was the first ever to make the query. I find both the lack of customer awareness and the vendor unpreparedness for the question a little troubling.

  8. My 2016 Corvette used the myChevrolet app, and I still had access to lock/unlock/set off the alarms months after I sold it, I reported the vulnerability to GM via HackerOne but I’m not sure of any changes they made.

    https://rskelton.com/myChevrolet-Android-App-Vulnerabilities/

  9. Speculation: The satellite and its ground-based repeater network do not keep any individual receiver’s ID in its end-of-subscription command feed forever.

    If the receiver is without power and remains that way after its ID disappears from the stream, the receiver has not been instructed that its paid subscription is over and it should continue receiving and decoding the programming after it is powered on.

  10. We help businesses grow and give loans up to $ 5 million Would you be interested?.

  11. As cars become more technical I’m not surprised that this would happen. You would sell your old cell phone or labtop with your information now remeber to do the same for your car.

  12. I had the same issue with a recently purchased 2019 used Audi. The former leaseholder had everything set up. It was difficult to find someone at Audi that could tell us what to do to fix it. Once we did and followed factory reset instructions, we learned we needed a special tag Serial Number that is assigned to our Audi Account for the low price of $175. We got that straightened out and implemented but still not sure what kind of access the previous owner has. The other feature provided Audi includes Find my Audi, which suggests someone with access can find it and unlock the doors.

  13. My 2016 VW came with satellite radio, and the service tried endlessly to pester me into the free trial.

    I didn’t sign up because the terms clearly stated that only way to cancel was phone.

    So I can see a lot of people being stymied trying to cancel recurring subscriptions…

  14. Please remove spam by user “Rosenbergsop”.

  15. The only way this is going to be fixed is that we refuse to purchase vehicles and/or return them if we cannot verify that the former owner cannot access the vehicle.

    Dealerships unable to clear used cars from their parking lot WILL find a way and they WILL waive those $175 fees if enough consumers complain.

    • Waiving fees, hehehe. Have you bought a used car lately? I was shopping for one in Florida recently where there are no limits on dealer fees. They were all over the map, with extraneous fees (other than the ones that might be for an actual service like putting a plate on the car) were $1,000 to $3,000. Dealerships don’t make significant profit from selling new cars (if you don’t get ripped off) so they make most of their money in used cars now.

  16. This sounds similar to situations when GameStop used to sell old PSPs. These devices were able to store videos and play them back later. GameStop was supposed to factory reset the devices, but instead just re-shelved the devices. There were stories of kids turning one of these devices on and finding porn on them.

    Long story short, factory reset your devices before you turn them in. I’m sure there’s a way to unsync accounts from cars, but definitely not something to trust someone else to take care of for you.

  17. I wouldn’t trust a dealer and have found used cars with phone numbers, contacts, and even saved mapping addresses. I would be very concerned about a electronic key or any sort of smart app connected to a account and vehicle. All of it should be erased from the hardware and associated account. Especially on leases many dealers let them go back to manufacture and are sold at auction and may never see a dealer service bay. They are picked up as is and taken to a wholesale agent who may clean up the cars for resale or auction. But may not have the means to reset all the technology. I imagine a lot of people don’t have the means to do this properly or just figure deleting the app will be enough. I lease a lot and always delete account and any stored information on the car. I want no connection back to me once I turn in the vehicle.

    • Same with car rentals.

      The USB port and Bluetooth are both very convenient and tempting to use. And it only takes a quick lapse to accept the permissions to access Phonebook/Contacts.

  18. Something similar happened to me when I bought my last car a year ago. It wasn’t as bad – it’s just all the phone sync information was still setup in the car. The phone sync happened to include the previous owner’s name.

    Oh, and the dealer also left some maintenance records from the previous owner – which included full name, phone number, and address.

    On a similar note, I bought a used Kindle from a thrift store. It still was connected to the owner’s Amazon account and had their ebooks on it. Unsure if I would have been able to buy more ebooks using their account and payment information, though.

  19. One more reason to never connect your phone to a rental car as well. All your contacts and quite a bit of other information gets slurped into the vehicle for your “convenience”, and it stays on the storage device in the vehicle even when you delete your device much like deleted files are still on your computer.

  20. One thing to remember from the old days: Previous owners could have made a copy of the key (or bought one from the dealer) and it could still be out there. That risk has always been present.

    “Digital” keys are just at a greater risk that someone hacks the dealer / vendor.

    I wish the dealer could just wipe and re-issue new physical keys with new chips and digital keys. but they would just charge an arm and a leg for that service.

    • Sure, but then you would have to actually get to the car to do anything. Sorry, but I don’t see how this is the same thing.

  21. I’m fine with everything except “sticky wicket.” I checked your bio; you were born in Alabama. I doubt you watch cricket. Come on, don’t we have any suitable American clichés?

  22. S. Zuboff, “The Age of Surveillance Capitalism,” Profile Books 2019. Yep. Smart cars.

  23. Rube Goldberg's Razor

    Scenario: New owner commits crime(s), investigation begins. Must I continue? Police approach previous owner, not the suspect being investigated (current owner). Police “know” it’s the utterly innocent previous owner they’re after, and they don’t read Krebs (or anything but sports, etc.) and don’t like the previous owner “lying” to them. He’s resisting arrest or making them fear for their sanctified safety which is not ordinary citizens’ safety. Like those swatting cases full of shoot-first swashbuckling.

  24. I had this happen on a couple of occasions. Once was with an electric car that had all the details of the previous owner in it. I did the master reset myself. Another was with a used phone from Best Buy that had the previous owners details. I called the guy up and he was pissed. He said Best Buy promised that all his info would be wiped. I assured him I would do it, but he also planned to give Best Buy a piece of his mind.

  25. Apparently Tesla read this blog and stated: “Hold my beer”. Instead of removing previous owner information they remotely removed an $8000 autopilot feature the second owner thought he was purchasing. I wonder how long it will be before Ransomware is bricking Teslas unless you pay up.

  26. At my last house, a heating contractor installed a internet-connected thermostat as part of a heating system upgrade. I never did find the factory reset option on the thing. I suspect that if the new owner of the house connects it to Wifi, that I could still log in to it

    • Generally there is no reset option on the heating unit however it is linked to an account that needs to be deleted if you set it up.

      I had one but never connected it to Wi-Fi due to this and they already have the schedule that can be change to fit the preference of the new owner.

  27. Slightly “off topic” … but not too far.

    I’m interested in the consensus re: connecting a reasonably-well locked-down iPhone to a RENTAL CAR’s bluetooth.

    Background:

    1) I NEVER connect to the car’s USB port w/ a cable; always using my own 12v charger

    2) I NEVER sync contacts (or anything else voluntarily)

    3) I ALWAYS delete the phone from the screen before turning-in the car.

    I only connect my phone to get use of the hands-free mic/speaker.

    I’ve actually stopped doing this at all, but wondered how risky this prior behavior really was ???

  28. Thanks Brian for the enlightening read, as always. I guess the issue is related mostly to the transition period from “dumb” (mostly electromechanical) to “smart” cars. In my job I have seen examples of the weird microcontroller networks inside a car, where makers were clearly overwhelmed and chose to focus on making it work, somehow over making it secure and thinking about the complete lifecycle.
    Myself I have just recently swapped my previous 2004 car for a 2018 model, so making that exact same transition. The new car supports Android Auto and I am actually quite fond of that. In my superficial perception the concept is that in principle, all relevant data remains on my smartphone and the car’s entertainment unit is basically a peripheral device to my phone. If this were really so, there would not be a lot of data to erase. Can someone comment if I am totally wrong?

  29. In the state where I live, used car dealers are required to get rid of identifying information from the previous owner. When test driving a used minivan a while back, I discovered they left a receipt in the owners manual. The name was unusual and legible. With a few clicks, I found the original owner and emailed him to ask if he’d mind letting me know of any problems with the vehicle (and assured him I was no stalker.) He let me know it had been outstanding with no problems other than having had the radio replaced under warranty. I happily bought the car.

  30. I like the idea of a mobile car due to how convenient it seems on the surface. I like being able to start my car a good distance away from it and the various technological features are great to have. I can certainly see why people have pause toward the topic, so the best advice that can be given is to exercise caution.

Leave a comment