When buying a used car, few of us think about security. Sure, it’s possible the former owners kept a key, but most of us just accept that and move on with our lives. However, there’s another factor you should be thinking about when buying a used car, whether you buy privately or from a dealer. Through the use of connectivity apps hooked into a car’s infotainment system, it’s possible for a former owner to open your car, start it, or even track your location.
It might sound like Hollywood nonsense, but it’s a real thing, here and now. A huge number of automakers now offer apps that will let you unlock your car or start the heating from the convenience of your smartphone. Some even let you track your car’s position, check the battery level, or monitor tire pressures and any warning lights on the dash. Using these services normally involves downloading the app on your smartphone, and then going through a process to pair the app with your vehicle. You can then control various features remotely, with the vehicle relying on a cellular data connection for this functionality.
The problem is that a car doesn’t know when it has been sold. This applies whether you’re getting rid of your car on Craigslist or you’re trading it in to a dealer. Unless somebody takes the decisive action to wipe existing app users from the car, they remain connected to the vehicle. Thus, it’s entirely possible for a former owner to track the position of a used car, and potentially even unlock it, start it, and drive away if they were so inclined. Or, they could simply clown the new owner by messing with settings and the like. It’s not a one-off problem, either—our research indicates this is very much happening on the regular.
This story landed on our desk thanks to the experience of Phillip Tracy, brother to our own David Tracy himself. His story is just one example of a phenomenon happening to a bunch of owners of cars of all different makes (We’ve already written about former Tesla owners tracking their Model Ss months after having sold them — two folks mentioned that their former cars had actually somehow made it to Ukraine). Phillip had recently traded in a 2021 Mazda CX-5 on the purchase of a new car, having enjoyed its connectivity features while owning it. And yet, when the deal was done and the Mazda was gone, something curious happened. “I continued to receive alerts from the MyMazda app about the status of my previous vehicle,” explains Phillip. “For several nights in a row, I received a notification that the car had been unlocked.”
The car, as far as Phillip was aware, was still at the dealership, and was listed for sale on their website. “When I opened the MyMazda app, I could view the vehicle status including whether the vehicle was locked/unlocked along with remaining fuel, mileage, [and] VIN details,” he says. He quickly realized that this wasn’t a good thing. “More troubling than that, my remote app controls still seemed to function… I could attempt to lock, unlock, and remote start the car.”
Not wanting an undue level of control over somebody else’s car, Phillip did the reasonable thing. “I notified the salesperson at my local Audi dealer, advising them to wipe the CX-5’s system so this sensitive information and safety functionality was withheld from anyone but a new owner,” he explains. And yet, even then, it appeared little was done to rectify the situation. “I continued to receive notifications even after the car was delisted from the Audi dealership website.”
Phillip couldn’t be sure if the car had been sold to a new owner, but he suspected as much given the car was no longer listed online. At this point, he was still getting regular notifications on the Mazda app, and it appeared that he could still unlock or start the car if he so desired. “The remote functionality appeared to function… the “press and hold” to unlock/lock/remote start dial would begin to count down,” he says. “I did not fully attempt to use any of those features to avoid disturbing a potential new owner or possibly putting them in danger.”
To solve the problem, Phillip went ahead and “unenrolled” himself from the Mazda’s VIN within the app, permanently disconnecting him from the vehicle. “The VIN still appears on the front page of the app but I need physical access to the vehicle to re-enroll,” he says. That stopped him getting notifications, and cut any remote access he had to the vehicle.
This isn’t a one-off occurrence, and it’s not just Mazda, either. Look around and you can find stories like this one everywhere. One former Mazda owner on Reddit noted they still had access to the MyMazda app a month after selling their vehicle. It’s not just limited to Mazda, either. This can happen with any automaker’s vehicles with similar functionality. In 2021, WGME reported on cases involving the FordPass app, while BMW owners have taken to forums to complain of similar issues.
Phillip was mature enough to handle this properly, but you can’t rely on that always being the case. Even outside stalking or theft, there’s plenty of room to use these apps to irritate and annoy someone by forever unlocking their car or starting the engine at random hours. Sure, the vast majority of adults aren’t so stupid and petty [Editor’s Note: Hold my beer – JT], but the possibility exists because of these apps.
Multiple automakers have made it clear that it’s on individuals—either those disposing of a car, or those buying one—to deal with this issue. The FTC has also noted that good automotive security goes both ways, and that owners should be clearing data from their cars prior to sale.
That sounds all well and good, but it can be a real frustration at times. Some buyers of used Toyotas have had to pick up the phone and deal with paperwork in order to register an app with their cars, because the previous owners never bothered to disable their connection. Honda owners have been through similar experiences trying to gain full access to a car they’ve already bought and paid for.
Obviously, in a private sale, it’s easy to understand how responsibility comes down to the seller and/or buyer. On the other hand, you might think a used car dealership would handle this sort of thing for its customers, but it’s by no means always the case. While these systems have been around for years now, it seems that resetting them hasn’t become a checklist item for dealers processing used cars.
To a degree, it’s understandable. It would be difficult for a dealership to know the processes required to reset or unpair every single kind of infotainment system from every single automaker. This is especially the case for those automakers that require more strenuous processes like jumping on the phone to verify ownership details. Furthermore, by and large, people generally don’t seek to cause havoc with their old vehicles after selling them, so it likely hasn’t been a major problem for most dealers. It’s possible that a notable incident or two could change practices in the industry, but there doesn’t seem to be much impetus for change at this point.
In any case, it’s a lesson that you have to look out for yourself in this regard. If you’re buying a new car with any sort of remote connectivity features, ensure that past owners have been unpaired from the system. Similarly, if you’re selling up, you’ll want to be clearing out all your private data from the vehicle and severing the connection yourself.
Image credits: Phillip Tracy, Hyundai via screenshot, BMW via YouTube screenshot, Mazda
Doesn’t someone have to pay a cell service provider, have a sim chip etc. to maintain connection with the car?
Mazda, at least, includes 3 years of connectivity with their cars – sometimes more. At some point yes, you gotta pay.
Because I know the vast majority of my customers never bother (or, more accurately, cannot be bothered), the first thing I do with either a lease return or a trade in is perform a Master Reset on the vehicle.
Takes 2 minutes tops, and it avoids a complaint about privacy down the road, even though it’s really the customers’ responsibility. Job done.
Does that clear out all the remote app access as well, or just local data?
It wipes everything clean – contacts, saved destinations as well as the FordPass connection.
I still had access to the Kia Telluride I sold like, two years ago until this article prompted me to check. At the time I sold I <couldn’t> remove the Kia from my account until another owner claimed it – fortuantely Kia seems to have finally changed that setting so I was able to delete it! Hooray!
Should the former owner be responsible for doing this? Absolutely, but it shocks me that this isn’t standard procedure on a PDI checklist for any major dealer, at the very least one who matches the brand of the car being sold (e.g. a Mazda dealer ought to double check that trade in Mazdas are deactivated).
I say this because I know VW dealers can activate CarNet subscriptions during new car trial periods, so the ability exists for them to open the system, provision a new user account, and tie it to the car. It should be trivial to cut off old user access if the dealer has taken possession.
> It would be difficult for a dealership to know the processes required to reset or unpair every single kind of infotainment system from every single automaker.
Not really. All it takes is for the sales person to google it on their phone in between two salvos of spam texts to potential customers.
Hahahaha bold of you to consider sales people as benefits to society. They’re too busy selling another car with markups.
Another point in favor of a simple car with mechanical door locks/handles, roll-up windows, a mechanical ignition, and real buttons controlling everything, without ANYWHERE for a phone to control access to anything on the car.
I think cars from the 1990s and early 2000s had the right balance of tech vs simplicity. Everything after has been purely extraneous and redundant, at the cost of all sorts of exploits, hacks, vulnerabilities, and additional maintenance/repair costs foisted upon the owner.
I mostly agree with you, but having a key fob to remotely unlock my car came in handy last year, when some arsehole tried to break in and thoroughly mashed up the door lock to the point where a key wouldn’t even fit in it.
I’d like to have an option where you can just disconnect the online services from the car itself.You know, like how you can turn off your cell radio/wifi/bluetooth on a phone by putting it into airplane mode?
I am a little worried about the next car purchase since anything reasonably modern will come will all of this stuff. I don’t want all my car’s telemetry being sent back to a manufacturer or shared with other 3rd parties who might buy it.
Yes, I’m a paranoid weirdo, I physically removed the hardware bridge that connects my car’s onstar unit from the cellular radio. I don’t use onstar, but it keep sending back data that I didn’t ask it do and there’s no way to opt out (short of doing what I did). I’d like to have some control over what my car tells strangers. I don’t see that happening anytime soon short of a lot of weird monkey business with car software that could potentially break important stuff.
Maybe I can get my car a tinfoil hat to match mine.
This is also a major problem for civil issues like divorces — there was a piece in NY Times a while ago about the issue. People can track and harass their exes through the app. For people who have separated but not legally divorced, they’re in an even tougher spot if both spouses are on the title, because car manufacturers refuse to remove the harasser from the app, since they still have legal ownership of the car.
The only way an app is getting into any of my cars is if they use the app to hire a locksmith, or a hammer to smash my windows I guess.
https://media.tenor.com/-TM80zLQIOIAAAAM/soulja-boy-crank-dat.gif
A friend sold his Focus EV to Carvana, and for several months after that, he was still able to locate the car via the app. Don’t remember if he could unlock the doors or remote start it though.
Duh am I the only person who realizes if the previous owner doesn’t disconnect the app all their information is still saved in the vehicle and they have far more to lose? Phone numbers acct numbers contacts everything. Having just bought a used car Toyota I called a few dealers. Moat service department s didn’t know it was a thing. But one said they have the ability to cut access pretty easily.
For the record, any car new enough to have an app isn’t saving numbers. It loads the contacts when the phone connects. Though addresses and stuff are gonna be there.
And yeah unlinking is just typing in a VIN on a webpage and hitting unlink. It’s just a hassle over the phone because they have to verify you are the new owner.
And that just takes out the app on anything but the newest entertainment system (Which is cloud based, yes it’s as dumb as it sounds)
Thanks for the info
I also experienced this after trading in my Buick Enclave. I personally reset the infotainment to factory and called Onstar to let them know the car had been traded in to a dealer and I no longer owned it. In spite of that, I got an alert a few days later from the MyBuick app that I hadn’t remembered to delete. So I unenrolled the car and then deleted the app.
At the end of the month, Onstar sent me a email with the car’s status (I had signed up for them when I owned it) and a follow-up email reminding me that I needed to re-up to Onstar if I wanted to keep using most of the apps features. So I called them AGAIN and told them AGAIN that the car was traded in.
Amazingly, the rep told me that they confirmed that I called a month before and told them the car was no longer mine. I was too dumbfounded to ask “so why am I still getting alerts?” She assured me that they would take me off the car at that point, and I haven’t gotten an alert since.
So even if you try to disconnect it’s hard to actually do.
Ah, yes, I see they’ve been taking tips from AOL and SiriusXM on how to handle customer disconnects…
Not only apps. Check the radio for contacts and even text messages for those cars that have those radios without Carplay/Android auto.
And profiles, a lot of cars have profiles nowadays, that may have lots of information.
Wife was looking for newer car. I was amused by the amount of information I could find in the infotainment systems.
Just waiting for these new cars that stores pictures go to the second hand market. That will be fun.
As someone who rents cars often, I habitually purge the car of all traces of me before returning it. I also take the time to purge the data of all of those who rented the vehicle before me but never deleted their phone from the car.
As you note, it is wild the amount of info you can get from a car’s infotainment system.
My cars both have the previous owners’ addresses set as “home” in their navigation systems. I plan to leave it that way, especially in my Hyundai that has the Kia Boyz vulnerability, thst way if someone steals it and wants to go to my house, they will end up at the wrong address.
That’s something I always avoided, specially because the garage door remote control is always in the car. That and leaving anything in paper that could have my address in the car.
In many places you are required to have registration in the car at all times. I suppose you could carry it around but that seems inconvenient if more than one person uses the car. Luckily we use PO Boxes in my town so that’s all anyone would find out.
Mine is hidden under a rubber insert in the console.
In CO at least, they give you a registration slip that doesn’t have your address on it along with one that does.
That’s thoughtful! In MN they give you a registration slip but you don’t actually have to keep it in the car. We live in CA now and you’ve gotta have it.
Classic spycraft
Change it to a nearby police station 🙂