Could your old car be giving away all your secrets to its new owner?

Karlin Lillington: New survey underlines risks in our increasingly connected world

Your car has a lot to say about you. And not in the way you think. Not just as a style proxy for your personality, but actually about you, your home, your passwords, your accounts.

Automobiles are becoming mobile computing devices attached to a machine that is useful for transport.

From the central operational and diagnostic nervous system of your car down to the onboard infotainment, computing systems are integral. And, as with mobiles and your other computing devices, those systems collect and utilise plenty of personal data.

Data that is still there when you sell the car.


While it is common knowledge that we should wipe the data from phones, tablets or computers before donating or selling them on, it turns out hardly anyone is thinking about the same issues with their cars. And yet, some of that data, and some of the possible security weaknesses in these systems, pose significant risks to owners,

According to survey results released by the UK consumer organisation and magazine Which?, four out of five car owners don’t realise they need to wipe the data from an automobile before selling it.

Buyers can also be targeted. An unscrupulous seller could return and steal the car you just bought, if they deliberately left some of their own data – such as that associated with an access app, or a cloned keyfob – on the car before selling it to you.

Most of us, even in older, less tech-flashy cars, have paired a mobile phone to our car using Bluetooth or a USB connection. These systems mean  “your car could absorb all your messages and contact details from your phone”, Which? says.

Access your wifi

“It may also know where you live, where you work, and the addresses of your friends and family.” Which? adds. It could also store your home and work wifi credentials, enabling someone else to access your home wifi and accounts and devices associated with it.

Even worse, “if the previous owner downloaded the car’s app and failed to break the link between the car and the app, it could allow them to track the location of the car they sold to you, unlock its doors and even start the engine”.

Just deleting the app doesn’t remove access rights, Which? says.

Between December and February last, Which? surveyed more than 14,000 car owners who had sold their car in the past two years. More than half had synced their car to their phone and, of those, 79 per cent said they failed to perform the owner manual’s recommended factory reset to delete their data from the car before selling it.

Some 58 per cent didn’t try to manually remove the data, and 51 per cent didn’t unsync their personal devices.

Which? reminds readers that there have been stalking incidents where stalkers utilised car data

Of 1,893 people who had also downloaded the manufacturer’s own associated car app – which on some cars, could allow a buyer “to track the location of the car they sold to you, unlock its doors and even start the engine” – 68 per cent had not removed data or done a factory reset, and half didn’t unpair or delete the app before selling their car.

A Which? video shows how to wipe data properly, and says to ask and make sure dealers have wiped the previous owner’s data, when you buy a used car.

In an associated investigation, Which? purchased a new Ford Focus and VW Polo and sent them to security experts Context Information Security to hack the onboard driving and infotainment systems.

They found that driver safety could potentially be compromised by remote operation, and that personal data such as contacts and passwords could be accessed via the infotainment system. A VW infotainment system Which? purchased via eBay also yielded all the previous owner's data.

Details of the hacks and vulnerabilities were not released, but were offered to VW and Ford. Ford refused the report.

Which? reminds readers that there have been stalking incidents where stalkers utilised car data.

Rich data troves

In an increasingly connected personal universe of “smart” devices, how do we curtail such risks? What other home devices are rich data troves for second hand buyers? Smart speakers and TVs, which gather a lot of user data and hold passwords, come to mind.

Last November, the FBI warned that smart TVs, many with microphones and cameras, posed a home surveillance and hacking risk.

“In a worst-case scenario, [hackers] can turn on your bedroom TV’s camera and microphone and silently cyberstalk you,” noted the FBI. They also offer advice on preventing such unwelcome boudoir company.

These reports raise many associated concerns that will only keep growing with time, as (not so) “smart” proliferates. Why is consumer awareness of the need to protect systems, and to wipe data, so low? How can awareness be improved? Could systems have better inbuilt safety measures?

And given these devices’ ubiquity, complexities and functional invisibility – shouldn’t we demand manufacturers meet a higher bar of responsibility towards their consumers?