HAPPY HOLIDAYS! Welcome to Canadian Black Book’s – The Value. Our goal is to provide our clients and partners with news, event updates, new initiatives and opinions from Canada’s trusted source for vehicle values and automotive insights. In this edition we cover:
- November 2018 Used Vehicle Retention Index
- Would you like to buy an unlocked smartphone full of personal data? – By Brian Murphy
- Canadian Black Book Moves To a New Space in a Green Way
Recently I had the chance to see a presentation by privacy and cybersecurity advocate, Andrea Amico, who specializes in information security (infosec) as it relates to automobiles. The presentation really stuck with me, Andrea is a great presenter and an enthusiastic expert in the field, but that was not the reason it was so memorable. His presentation struck me as the tip of the iceberg of a subject that I don’t think is top of mind with enough consumers or professionals in the business of automotive sales and remarketing. Hopefully this column will help get the word out on what I see as an issue that is likely to become increasingly important in the years ahead: infosec for vehicles.
Your car is a very personal item. It’s a faithful companion as we navigate our way each day through the world. As a result, cars know a great deal about the people who drive them. If you have ever connected your mobile device to your vehicle via Bluetooth (something required by law in many geographies), your car may know addresses of places you have visited, the phone numbers you have dialed, the text messages you have received, where you live and your garage door code.
Alarming? It should be. That’s a lot of personally identifiable information (PII) to potentially freely pass along to the next person who owns that car. Today, in many cases that is exactly what’s happening. Modern cars infotainment systems are just like smartphones, but when it comes to changing hands, they are often not treated the same way.
All this potentially sensitive information exists inside the infotainment systems and will often stay there, unless someone makes an active effort to remove it prior to changing owners. If you were getting ready to sell an old smart phone or re-cycle it as a gift to a family member, most likely you are going to delete any personal information off the phone, or perform a “factory reset” to wipe the phone clean before handing it to the next person.
Do you do the same when you sell your car? Mr. Amico knows that many of us don’t! “Vehicles are the largest IOT devices that most consumers will ever own – and yet, most consumers remain unaware that once they connect their smartphone to their vehicle’s infotainment system they may be sharing with the vehicle- and potentially all of its future owners – the personal information they would try so hard to erase if they were to return an old smartphone to a mobile telecom store.”
Some, who are technically savvy may be thinking, yes that information is there, but it’s only accessible when my phone is connected, so it’s a non-issue. Well, that is not the case. In Andrea’s presentation he discussed that earlier this year, while researching for the development of his Privacy4Cars app, he discovered an alarming vulnerability in the Bluetooth protocols adopted by many infotainment systems. The vehicle hack, titled CarsBlues, exploits infotainment systems of several vehicle manufacturers via the Bluetooth protocol to expose the stored personal information of the previous vehicle users. The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge.
Examples he provided during his presentation were quite chilling. Mr. Amico showed a video where, car after car after car, he could get around the Bluetooth security and gain access to stored contacts, call logs, text logs, and in some cases even full text messages without the vehicle’s owner/user being aware. All this was done without the user’s mobile device being connected to the system by using this CarsBlues exploit. In one example, he was able to determine where the principal driver lived and worked, who they were, where their kids went to school and playdates, and that they were getting medical treatments at a specific facility. “When an individual leaves PII behind in a vehicle’s infotainment system they are potentially exposing information that, when pieced together, could be quite dangerous if it were to fall into the wrong person’s hands.”
My intent is that the automotive professionals reading this can ask themselves if their own organizations have a responsibility to help protect consumers from disclosure of personal information. Whose responsibility is it to remove this information? Should you be “wiping” cars that are passing through your hands? Should you be deleting the electronic PII as a buyer or as a seller or when handing a lease end return or a total loss vehicle? The Canadian Privacy commissioner was already very critical of Staples not wiping customer data off of used computers over ten years ago. So in my layman’s opinion (I’m not a lawyer) a similar omission to not erase a client’s personal data off a car being resold could lead to a similar criticism from regulators.
There are resources to help with the wiping process, making it very easy. Of course, the owner’s manual of most vehicles can help point you in the direction of how to unpair phones and reset systems (although Amico pointed out that imprecise or incorrect instructions are not a rare phenomenon among vehicle manuals). If you are dealing with high volumes of vehicles and many models there is an app available for smartphones called Privacy4Cars, created by Mr. Amico, which walks you through the process of deleting sensitive data from hundreds of different makes/models. The app is free for consumers to use but there is a fee for businesses. Consider protecting yourself from your own personally identifiable information being misused, and protect your business from the possible legal consequences of not offering the same protection to your customers. More information on this subject can be found at Privacy4cars.com