Skip to main content

Data Exfiltration: Vehicle Edition

I recently purchased a used vehicle from a local dealership, and so far, so good!  The Chevy Cruze works as expected: the tires all are round, and I have not managed to spin it yet.

However, I did not open the glovebox until I got it home from the dealership.  Inside I found a treasure trove of documents, of which all of them did not have my name.  It seems like the dealership did not completely clean out the vehicle before they sold it to me.  For this blog post, I am going to dive into what personally identifiable information I can gather from a used car and see what can be done to reduce my personal exposure in the future if I were to sell a vehicle to someone else. 

Physical Inspection

To get started, find all of the personally identifiable paperwork that you can in the vehicle. 

Locations to check:

  • Glovebox
    • Additionally, look inside the driver’s manual
  • Under the seats
  • Seatback pockets
  • Under seat cushion storage
  • Dashboard cubbies
  • Center console storage
  • Under arm rests
  • Door pockets
  • Trunk
  • Under-trunk/spare tire storage
  • Frunk
  • Engine compartment (not sure how PII would exist here, but you never know)

 Anything is fair game for what might contain information, such as vehicle documentation, store receipts, insurance cards, registration paperwork, etc.

 In my specific case, I opened up the glovebox and found a plastic storage bag containing all of the previous owner’s information.

Glove Compartment.jpg

The first thing that I find was the registration and tab renewal paperwork.  This contains the name and address of the previous owner.  While this paperwork existing is not surprising as all cars need registration paperwork in the state of Minnesota, this paperwork is not needed in the transfer to a new owner.

Registration.jpg

The next sets of papers are where the information exposure kicks into high gear.  Here we can see the previous owner’s loan agreement (underneath the redacted information).  This page included their name, address, traded vehicles VIN information, signatures, and their loan terms.  It appears they were not able to get a favorable loan.

Loan Agreement.jpg

There is even more information exposed on this application page.  Name, address, phone number, employment history, and social security number are among the most sensitive information exposed on this page. 

Loan Agreement 2.jpg

For the final page that I will show (there were a dozen pages total), this one shows the person’s credit score and signature. 

Credit Score.jpg

When everything was all said and done, I have enough information to commit identity fraud on two different individuals.  I was able to obtain the following information:

  • Name
  • Address
  • Phone Numbers
  • Employment History
  • Social Security Numbers (!)
  • Credit Score
  • Loan Terms and Conditions
  • Bank Account Information
  • Previous Vehicles with VIN numbers
  • Handwritten Signatures (full name and initials)
  • Credit Score

In a nutshell, this was a terrifying amount of someone else’s information to come into my possession.  If you are selling your vehicle, be sure to remove all of this information before you hand over the keys!  The dealership should have cleaned out the car, but apparently it is not a foolproof process.  A PII bonfire is in my near future.

Stereo / Infotainment

Most modern infotainment and stereo equipment have features such as navigation Bluetooth audio and phone call functionality.  There are many different items that you can check:

  • Bluetooth device pairing
    • Infotainment often lists what Bluetooth devices have been paired with the radio
  • Phone numbers and audio calls
  • Navigation history
  • Home or work addresses in navigation

I checked the newly purchased vehicle for what might exist.  Sure enough, the dealership did not clear out the infotainment settings prior to selling the vehicle to us.  While this particular infotainment does not have navigation built-in, it does contain the list of all previously paired Bluetooth connections and contact information for those connections. 

To verify, I went into the ‘Config’ setting:

Screen.jpg

From there, select ‘Phone Settings’:

phone settings.jpg

Select ‘Bluetooth’:

bluetooth.jpg

Select ‘Device List’:

bluetooth 2.jpg

Here we are presented with all devices that are hooked up to the vehicle’s Bluetooth.  This reveals the device name, which in this case was the previous owner’s names.

bluetooth 3.jpg

To scrub it from the system, select the name and press ‘Delete’:

bluetooth 4.jpg

Some infotainment system settings bury this information underneath layers of configuration screens as it is not needed in a day-to-day basis.  However, be sure to walkthrough these settings and clean them up before you sell the car, as you should be in control of your data and not allow it to get into the hands of unknown individuals.

Peripherals

This list wasn’t as prevalent in my car, but there are still some things that you should check:

  • Garage door openers
    • If your vehicle has the option, built-in garage door openers usually reside in rear view mirrors or buttons on the ceiling.
  • OnStar on GM vehicles (other brands have different types of network connectivity)
  • iPhone/Android application access

 In summary, your car contains a lot of information about your life and should be treated with the same data sensitivity that you might give your smart phone or computer.  Be sure to follow your vehicle’s owner’s manual to disable any infotainment or accessory data that might have been ingested by your vehicle’s computers.  Finally, make sure that your vehicle is clean of paperwork before saying goodbye.