Both data and the online controls on "connected cars" from Jaguar Land Rover remain available to previous owners, according to security experts and owners of the upmarket vehicles. The car maker has defended its privacy safeguards and security of its InControl tech.
El Reg began investigating the issue after talking to Matt Watts, a techie who blogged about the issue of connected cars and the data they collect, without initially naming Jaguar Land Rover (JLR).
Watts' secondhand Range Rover came with the ability to remotely control the climate systems, call breakdown services, upload GPS/destination details and much more. The vehicle also keeps a record of much of this information and stores it in an online account.
Most drivers won't use this functionality, but Watts is a self-admitted geek. After he downloaded the JLR app to his smartphone and started to experiment, Watts realised that he was able to use the eight digits of the vehicle identification number (VIN) to link his vehicle to an online account.
When doing so, the JLR website informed him that the vehicle was linked to another user's account. After dealing with support centres and a JLR dealer, Watts was eventually told that the previous owners should have disconnected before selling on the car. He was initially advised to contact the previous owner, which is annoying enough in itself.
"The process to get the manufacturer to update the online details for the vehicle is for me to try and find the previous owner and get them to do it for me," Watts wrote.
The issue goes far beyond Watts being unable to use the funky functionality of his secondhand motor, as he explained:
The previous owner of my car has control over it, they can unlock it, they can remotely set the climate control without me knowing about it, even when the car isn't running, they potentially can even look at the sat-nav system, they can also call break down services to the vehicle and all of this without me knowing anything about it.
Someone else has access to a significant amount of data about myself and my vehicle and there appears to be nothing that the manufacturer is prepared to do about it.
Watts told El Reg: "Data is being collected about me and the vehicle's location and simply provided to whomever previously connected the app to the car. JLR needs a bullet-proof method for this to be automatically disconnected when the vehicle changes hands. I don't know how you do this but the current process is clearly not sufficient."
According to another secondhand Land Rover driver and IT industry pro, who did not wish to be named, the issue is not just around the mobile app but also the online account with JLR. This account – which ties into the InControl service offered by JLR – needs the VIN/car data removed from it when a car changes hands.
El Reg contacted Jaguar Land Rover's press office about the issue. "Matt's situation could have been handled a lot better, with him receiving incorrect information throughout the process," it said.
In a lengthy statement, the car maker went on to defend its procedure around the sale of connected cars against criticism from techie drivers we've spoken with.
If a customer sells a vehicle to a Jaguar Land Rover retailer, the retailer, as part of the purchasing process, will check that the customer has cleared all of their accounts and removed the vehicle from their InControl Portal. They will also advise the customer selling/exchanging the vehicle that the customer can unbind themselves too.
It is important to note that when the initial customer accepts the terms and conditions of Remote Premium services that they are agreeing to unbind the vehicle from themselves when they sell it on. If a private sale, Jaguar Land Rover or our retailers will have no sight of the vehicle between change of ownership so cannot check this process has been adhered to.
If the seller has not done this, the new owner can take their car to their local Jaguar Land Rover retailer to get the InControl Remote app and all InControl services reset. After ownership checks, the retailer will unbind the previous owner from that car.
This will mean that when the former owner goes onto their InControl Remote app or InControl Portal, they will receive a message stating that no vehicle is associated with this account and will no longer be able to view any information for that particular vehicle. The retailer will then set up a new account for the new owner, binding that vehicle to them. This process can also be done by the customer contacting the Jaguar Land Rover Customer Relationship Centre and providing suitable ownership documents.
If you have the VIN, you can press one button in the car to silently enable tracking. This enables a range of functions including remote unlock, start engine, and the ability to see where a car is, according to our unnamed tipster.
Watts added that "right now a previous owner of my Range Rover has the ability, from anywhere in the world with a data connection" to do all manner of undesirable things including but limited to:
- See the vehicle data remotely
- Look at my journey history
- Adjust the climate control
- Remote beep and flash the horn and lights
- Unlock the vehicle
Watts bought his car through an independent dealer. JLR said that the issues Watts had experienced wouldn't have arisen if sales procedures known to its registered dealers had been followed. Watts was dissatisfied with this response.
Watts told El Reg: "I personally find it completely unacceptable that JLR simply pass on the responsibility for unbinding a previous owners app from the vehicle to the dealer, who I'm not convinced will always do it, to an independent dealer, who may not even be aware of it, or to the new owner, who unless they're tech savvy and want to use these features may not even be aware of them."
In response to JLR's statement, he added: "It would appear that JLR's view is that it's the dealers' problem, the previous owner's problem or the current owner's problem, without accepting any responsibility or liability. In fact it's everyone else's problem except theirs, yet they are the ones collecting all this data."
User data and information should be a prime consideration in developing new connected car systems and capabilities. El Reg also asked JLR to comment on the GDPR implications of what had happened to Watts and our other source. The response was rather bland:
Customer confidentiality and the security and privacy of customer data is paramount to Jaguar Land Rover. We continually review our processes to identify further improvements to meet the security and privacy needs of our customers.
Watts plans to contact the dealer to get this sorted out while also raising awareness. "[The process] is full of holes and the manufacturers need to do something about it," he said.
Our anonymous tipster has similar concerns: "Remember that some of the JLR dealers are not optimal in fixing issues. It could be that the dealers should be able to do this but don't know how to. When I bought my approved used Disco, I didn't even know I had the tracker installed and just Googled the buttons."
The issue of the security of data collected by connected cars is far from limited to Jaguar Land Rover.
In response to his post about the issue, Watts has also been contacted by someone who said he had sold his previous "German" car through a main dealer in the Netherlands over a year ago. "He confirmed that he still has full remote control over it," Watts explained. "During the sale/exchange process he said the dealer didn't at any point ask about the app or make any mention about disconnecting it."
El Reg contacted transportation security expert Chris Roberts, who said that he too had come across the same issue in another brand of car.
"I picked up a used S550 and had the previous owner's info still in it," US-based Rogers told El Reg. "[It] took a call to [Mercedes-Benz] to sort that out."
Evil parking attendant
JLR also offered an explanation for how its InControl connected car tech is set up:
- The activation process affects all the telematics features, names of which vary depending on what model year, vehicle line and market the vehicle is, hence the references to Remote Premium and InControl Protect.
- Activation of the telematics features is a pre-meditated action - it can't be done casually: the customer has to go through the InControl Portal; have the VIN ready; follow a series of steps including account creation; go to the vehicle and press a specific button for 10 seconds; then follow some further steps in the web browser before the activation is complete.
- It also requires that: a) the customer has physical access to the vehicle – so they must have the keys and b) there is no other customer connected to the vehicle already - you cannot "kick an existing customer off" using this method.
Our unnamed tipster disputed this, in part. "You can bind a vehicle to your account if it is unbound. You [need to] have physical access to the car to press a button and know the VIN (from the dashboard or from some other system) – VINs are not confidential.
"Think not evil maid attack but evil parking attendant or evil valet attack. If it's not set up, I, as an evil valet, could easily set it up for them and then gain at best knowledge of where the customer is but also the ability to unlock the car and start the engine.
"I don't think it's possible to drive off without the keys - the engine may start remotely but will not allow you to actually drive off without having the keys." ®