Skip to main content

Vehicle Personal Information & Exfiltration

I recently purchased a used vehicle from a local dealership, and so far, so good! My Chevy Cruze works as expected, the tires all are round, and I have not managed to spin it yet.

However, I didn’t open the glovebox until I got it home from the dealership. Inside, I found a treasure trove of documents, of which all of them did not have my name. It seems like the dealership didn’t completely clean out the vehicle before they sold it to me.

Personal Data & Used Vehicles

In this blog post, we will to dive into what personally identifiable information (PII) and data I can gather from a used car, as well as share what can be done to reduce my personal exposure in the future (if I were to sell a vehicle to someone else). 

Physical Inspection

To get started, find all of the personally identifiable paperwork that you can in the vehicle. 

Physical Locations in the vehicle to check for personally identifiable information:

  • Glovebox
    • Additionally, look inside/within the driver’s manual
  • Under the seats
  • Seatback pockets
  • Under seat cushion storage
  • Dashboard cubbies
  • Center console storage
  • Under arm rests
  • Door pockets
  • Trunk
  • Under-trunk/spare tire storage
  • Frunk
  • Engine compartment (not sure how PII would exist here, but you never know)

Anything is fair game for what might contain information, such as vehicle documentation, store receipts, insurance cards, registration paperwork, etc.

In my specific case, I opened up the glovebox and found a plastic storage bag containing all of the previous owner’s information.

Glove Compartment of used vehicle screenshot by White Oak Security, a treasure trove of sensitive personal information.

The first thing that was found was the registration and tab renewal paperwork. This contains the name and address of the previous owner. While this paperwork existing is not surprising, as all cars need registration paperwork in the state of Minnesota – this paperwork is not needed in the transfer to a new owner.

Old Registration found in used vehicle by White Oak Security’s pentester

The next set of documents were where the information exposure kicks into high gear. Here we can see the previous owner’s loan agreement (underneath the redacted information). This page included their name, address, traded vehicles VIN information, signatures, and their loan terms. It appears they were not able to get a favorable loan.

Loan Agreement with sensitive personal information found in used vehicle by White Oak Security’s pentester

There is even more information exposed on the application page below. Name, address, phone number, employment history, and social security number are among the most sensitive information exposed on this page. 

Loan Agreement page 2 has a ton of personal identifiable information found in used vehicle by White Oak Security’s penetration tester.

For the final page that we’ll share (there were a dozen pages total), this one shows the person’s credit score and signature. 

Credit Score and signatures, among other personally identifiable information was found in a used vehicle by White Oak Security’s pentester

When everything was all said and done, I have enough information to commit identity fraud on two different individuals. 

Sensitive Information Obtained From Used Vehicle:

  • Name
  • Address
  • Phone Numbers
  • Employment History
  • Social Security Numbers (!)
  • Credit Scores
  • Loan Terms & Conditions
  • Bank Account Information
  • Previous Vehicles with VIN numbers
  • Handwritten Signatures (full name & initials)

In a nutshell, this was a terrifying amount of someone else’s information to come into my possession by purchasing a used vehicle from a dealership. If you are selling your vehicle, be sure to remove all of this information before you hand over the keys! The dealership should have cleaned out the car, but apparently it is not a foolproof process. A PII bonfire is in my near future.

Stereo / Infotainment Inspection

Most modern infotainment and stereo equipment have features such as navigation Bluetooth audio and phone call functionality. 

Infotainment & Stereo items to check for personally identifiable information:

  • Bluetooth device pairing
    • Infotainment often lists what Bluetooth devices have been paired with the vehicle
  • Phone numbers & audio calls
  • Navigation history
  • Home or work addresses (in navigation)

I checked the newly purchased vehicle for what might exist.  Sure enough, the dealership did not clear out the infotainment settings prior to selling the vehicle to us. While this particular infotainment does not have navigation built-in, it does contain the list of all previously paired Bluetooth connections and contact information for those connections. 

How To Check Stereo & Infotainment For Personal Data:

To verify, I went into the ‘Config’ setting:

Vehicle Blue tooth settings, configuration page in a used vehicle. Exfiltrate by White Oak Security’s pentester

From there, select ‘Phone Settings’:

phone settings within configuration settings in a used vehicle being exfiltrated by White Oak Security’s pentester

Select ‘Bluetooth’:

bluetooth settings within used car has personally identifiable information found by White Oak Security’s penetration tester

Select ‘Device List’:

bluetooth and device settings in used car has sensitive personal information found by white oak security’s pentester

Here we are presented with all devices that are hooked up to the vehicle’s Bluetooth. This reveals the device name, which in this case was the previous owner’s names.

bluetooth settings in used vehicle has sensitive personally identifiable information found by white oak security’s penetration tester

To scrub it from the system, select the name and press ‘Delete’:

bluetooth settings are exhilarated by white oak security’s pentesters

Some infotainment system settings bury this information underneath layers of configuration screens as it is not needed in a day-to-day basis. However, be sure to walkthrough these settings and clean them up before you sell your car, as you should be in control of your data and prevent it getting into the hands of unknown individuals.


This list wasn’t as prevalent in my car, but there are still some things that you should check.

Additional Personal Identifiable Information Items Within Vehicles:

  • Garage door openers
    • If your vehicle has the option, built-in garage door openers usually reside in rear view mirrors or buttons on the ceiling.
  • OnStar on GM vehicles (other brands have different types of network connectivity)
  • iPhone/Android application access

Personal Information In Vehicles

In summary, your vehicle contains a lot of information about your life and should be treated with the same data sensitivity that you might give your smart phone or computer. Be sure to follow your vehicle’s owner’s manual to disable any infotainment or accessory data that might have been ingested by your vehicle’s computers. Finally, make sure that your vehicle is clean of paperwork before saying goodbye. 


White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team…