Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound

Both data and the online controls on “connected cars” from Jaguar Land Rover remain available to previous owners, according to security experts and owners of the upmarket vehicles. The car maker has defended its privacy safeguards and security of its InControl tech.

El Reg began investigating the issue after talking to Matt Watts, a techie who blogged about the issue of connected cars and the data they collect, without initially naming Jaguar Land Rover (JLR).

Watts’ secondhand Range Rover came with the ability to remotely control the climate systems, call breakdown services, upload GPS/destination details and much more. The vehicle also keeps a record of much of this information and stores it in an online account.

Most drivers won’t use this functionality, but Watts is a self-admitted geek. After he downloaded the JLR app to his smartphone and started to experiment, Watts realised that he was able to use the eight digits of the vehicle identification number (VIN) to link his vehicle to an online account.

When doing so, the JLR website informed him that the vehicle was linked to another user’s account. After dealing with support centres and a JLR dealer, Watts was eventually told that the previous owners should have disconnected before selling on the car. He was initially advised to contact the previous owner, which is annoying enough in itself.

“The process to get the manufacturer to update the online details for the vehicle is for me to try and find the previous owner and get them to do it for me,” Watts wrote.

The issue goes far beyond Watts being unable to use the funky functionality of his secondhand motor, as he explained:

Watts told El Reg: “Data is being collected about me and the vehicle’s location and simply provided to whomever previously connected the app to the car. JLR needs a bullet-proof method for this to be automatically disconnected when the vehicle changes hands. I don’t know how you do this but the current process is clearly not sufficient.”

According to another secondhand Land Rover driver and IT industry pro, who did not wish to be named, the issue is not just around the mobile app but also the online account with JLR. This account – which ties into the InControl service offered by JLR – needs the VIN/car data removed from it when a car changes hands.

El Reg contacted Jaguar Land Rover’s press office about the issue. “Matt’s situation could have been handled a lot better, with him receiving incorrect information throughout the process,” it said.

In a lengthy statement, the car maker went on to defend its procedure around the sale of connected cars against criticism from techie drivers we’ve spoken with.

If you have the VIN, you can press one button in the car to silently enable tracking. This enables a range of functions including remote unlock, start engine, and the ability to see where a car is, according to our unnamed tipster.

Watts added that “right now a previous owner of my Range Rover has the ability, from anywhere in the world with a data connection” to do all manner of undesirable things including but limited to:

  • See the vehicle data remotely
  • Look at my journey history
  • Adjust the climate control
  • Remote beep and flash the horn and lights
  • Unlock the vehicle

Watts bought his car through an independent dealer. JLR said that the issues Watts had experienced wouldn’t have arisen if sales procedures known to its registered dealers had been followed. Watts was dissatisfied with this response.

Watts told El Reg: “I personally find it completely unacceptable that JLR simply pass on the responsibility for unbinding a previous owners app from the vehicle to the dealer, who I’m not convinced will always do it, to an independent dealer, who may not even be aware of it, or to the new owner, who unless they’re tech savvy and want to use these features may not even be aware of them.”

In response to JLR’s statement, he added: “It would appear that JLR’s view is that it’s the dealers’ problem, the previous owner’s problem or the current owner’s problem, without accepting any responsibility or liability. In fact it’s everyone else’s problem except theirs, yet they are the ones collecting all this data.”

User data and information should be a prime consideration in developing new connected car systems and capabilities. El Reg also asked JLR to comment on the GDPR implications of what had happened to Watts and our other source. The response was rather bland:

Watts plans to contact the dealer to get this sorted out while also raising awareness. “[The process] is full of holes and the manufacturers need to do something about it,” he said.

Our anonymous tipster has similar concerns: “Remember that some of the JLR dealers are not optimal in fixing issues. It could be that the dealers should be able to do this but don’t know how to. When I bought my approved used Disco, I didn’t even know I had the tracker installed and just Googled the buttons.”

The issue of the security of data collected by connected cars is far from limited to Jaguar Land Rover.

In response to his post about the issue, Watts has also been contacted by someone who said he had sold his previous “German” car through a main dealer in the Netherlands over a year ago. “He confirmed that he still has full remote control over it,” Watts explained. “During the sale/exchange process he said the dealer didn’t at any point ask about the app or make any mention about disconnecting it.”

El Reg contacted transportation security expert Chris Roberts, who said that he too had come across the same issue in another brand of car.

“I picked up a used S550 and had the previous owner’s info still in it,” US-based Rogers told El Reg. “[It] took a call to [Mercedes-Benz] to sort that out.”

Evil parking attendant

JLR also offered an explanation for how its InControl connected car tech is set up:

  1. The activation process affects all the telematics features, names of which vary depending on what model year, vehicle line and market the vehicle is, hence the references to Remote Premium and InControl Protect.
  2. Activation of the telematics features is a pre-meditated action – it can’t be done casually: the customer has to go through the InControl Portal; have the VIN ready; follow a series of steps including account creation; go to the vehicle and press a specific button for 10 seconds; then follow some further steps in the web browser before the activation is complete.
  3. It also requires that: a) the customer has physical access to the vehicle – so they must have the keys and b) there is no other customer connected to the vehicle already – you cannot “kick an existing customer off” using this method.

Our unnamed tipster disputed this, in part. “You can bind a vehicle to your account if it is unbound. You [need to] have physical access to the car to press a button and know the VIN (from the dashboard or from some other system) – VINs are not confidential.

“Think not evil maid attack but evil parking attendant or evil valet attack. If it’s not set up, I, as an evil valet, could easily set it up for them and then gain at best knowledge of where the customer is but also the ability to unlock the car and start the engine.

“I don’t think it’s possible to drive off without the keys – the engine may start remotely but will not allow you to actually drive off without having the keys.” ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE