The Hidden Danger of Buying a Used Connected Car

Editor’s Note: This post first appeared on the September 2018 NMA Blog. It still has important advice for those interested in purchasing a used connected car.

The media has made much ado about remote car hacking and it is a serious concern but there is another concern that could potentially be more devastating for a new used car owner:  Buying a used car whose connectivity is still controlled by the previous owner.

More than likely, the owner forgot that they needed to disconnect from the car but getting the previous owner to disconnect can take a great deal of energy and time for a new owner.

Phone apps or in car apps allow a driver to interact with a car remotely. Some of the things that can be done with a smart phone or key fob include remotely turning on the car and controlling the climate systems, calling for roadside help and uploading GPS coordinates into the onboard computer. Your car’s connected apps keep a record of much of this information and store it on an online car account that is associated with that vehicle’s VIN number.

Matt Watts recently blogged about his experience with his newly bought used Land Rover. A UK IT online news outlet called THE REGISTER picked up the story and interviewed Watts who said:

The previous owner of my car has control over it, they can unlock it, they can remotely set the climate control without me knowing about it, even when the car isn’t running, they potentially can even look at the sat-nav system, they can also call break down services to the vehicle and all of this without me knowing anything about it.

Someone else has access to a significant amount of data about myself and my vehicle and there appears to be nothing that the manufacturer is prepared to do about it.

Watts had a great deal of runaround in trying to get this problem solved. Jaguar Land Rover wrote to THE REGISTER on how the problem should have been handled.

If a customer sells a vehicle to a Jaguar Land Rover retailer, the retailer, as part of the purchasing process, will check that the customer has cleared all of their accounts and removed the vehicle from their InControl Portal. They will also advise the customer selling/exchanging the vehicle that the customer can unbind themselves too.

It is important to note that when the initial customer accepts the terms and conditions of Remote Premium services that they are agreeing to unbind the vehicle from themselves when they sell it on. If a private sale, Jaguar Land Rover or our retailers will have no sight of the vehicle between change of ownership so cannot check this process has been adhered to.

If the seller has not done this, the new owner can take their car to their local Jaguar Land Rover retailer to get the InControl Remote app and all InControl services reset. After ownership checks, the retailer will unbind the previous owner from that car.

This will mean that when the former owner goes onto their InControl Remote app or InControl Portal, they will receive a message stating that no vehicle is associated with this account and will no longer be able to view any information for that particular vehicle. The retailer will then set up a new account for the new owner, binding that vehicle to them. This process can also be done by the customer contacting the Jaguar Land Rover Customer Relationship Centre and providing suitable ownership documents.

According to a second Register post, BMW, Mercedes-Benz and Nissan may also have this same issue. BMW gave this reply to the problem:

The customers are able to delete all their BMW Connected app data with a click in the BMW Connected app. The data privacy policy tab in the BMW Connected app contains detailed information on data privacy for all services that explains to customers exactly how the data is used.

The customer need[s] to delete the mapped profile online at the ConnectedDrive account. Customers can delete the mapping via the Head-Unit and get a notification to delete the data online at the ConnectedDrive account as well.

Once a customer connects the car with a new ConnectedDrive account, all previous connections will be deleted.

So whose responsibility is it to disconnect the connection? Carmakers say as part of the service agreement with any online accounts, the previous owner is responsible for stopping the account but even then that may be tough. Unlinking a car that you sold may not actually finish the process since there is also an in-car registration that is entirely separate.

Of course, automakers cannot make the process too simple, because then it’s too easy for car thieves to steal the car. Also, dealers and auto techs may not have the training to deal with disconnecting a car’s connected account from a previous owner which is what happened to Matt Watts.

This is definitely one of those systems that automakers did not think out clearly enough and now they need to remedy the problem so that the previous owner can easily disengage and if they don’t or cannot then a dealer should be able to do the same for the new buyer whether the vehicle was purchased through a dealership or independently.

Consumers also need to stop being so excited by all this tech and understand what needs to be done to make sure their car and their privacy is secure in this new world of the Internet of Things.

Thank you for reading the National Motorists Association’s Auto Tech Watch Blog.  If you find an online article of interest concerning auto tech, please drop us the link via email to [email protected]. Interested in discussing this blog, please write your comments below or join the discussion on Facebook. If you would like to keep up with auto tech news, subscribe to the NMA’s Driving News Daily email.

Want to support this blog and the work we do across the country on behalf of motorists? Become a member of the NMA today!

Photo attribution:  ng Connect Program licensed under Creative Commons NonCommercial 2.0 Generic (CC BY-NC 2.0)

Not an NMA Member yet?

Join today and get these great benefits!

Leave a Comment