Cyber Security Technical Blog

Vehicle Personal Information & Exfiltration

Written by Daniel Sandau | Oct 11, 2024 5:56:03 PM

I recently purchased a used vehicle from a local dealership, and so far, so good! My Chevy Cruze works as expected, the tires all are round, and I have not managed to spin it yet.

However, I didn’t open the glovebox until I got it home from the dealership. Inside, I found a treasure trove of documents, of which all of them did not have my name. It seems like the dealership didn’t completely clean out the vehicle before they sold it to me.

Personal Data & Used Vehicles

In this blog post, we will to dive into what personally identifiable information (PII) and data I can gather from a used car, as well as share what can be done to reduce my personal exposure in the future (if I were to sell a vehicle to someone else). 

Physical Inspection

To get started, find all of the personally identifiable paperwork that you can in the vehicle. 

Physical Locations in the vehicle to check for personally identifiable information:

  • Glovebox
    • Additionally, look inside/within the driver’s manual
  • Under the seats
  • Seatback pockets
  • Under seat cushion storage
  • Dashboard cubbies
  • Center console storage
  • Under arm rests
  • Door pockets
  • Trunk
  • Under-trunk/spare tire storage
  • Frunk
  • Engine compartment (not sure how PII would exist here, but you never know)

Anything is fair game for what might contain information, such as vehicle documentation, store receipts, insurance cards, registration paperwork, etc.

In my specific case, I opened up the glovebox and found a plastic storage bag containing all of the previous owner’s information.

The first thing that was found was the registration and tab renewal paperwork. This contains the name and address of the previous owner. While this paperwork existing is not surprising, as all cars need registration paperwork in the state of Minnesota – this paperwork is not needed in the transfer to a new owner.

The next set of documents were where the information exposure kicks into high gear. Here we can see the previous owner’s loan agreement (underneath the redacted information). This page included their name, address, traded vehicles VIN information, signatures, and their loan terms. It appears they were not able to get a favorable loan.

There is even more information exposed on the application page below. Name, address, phone number, employment history, and social security number are among the most sensitive information exposed on this page. 

For the final page that we’ll share (there were a dozen pages total), this one shows the person’s credit score and signature. 

When everything was all said and done, I have enough information to commit identity fraud on two different individuals. 

Sensitive Information Obtained From Used Vehicle:

  • Name
  • Address
  • Phone Numbers
  • Employment History
  • Social Security Numbers (!)
  • Credit Scores
  • Loan Terms & Conditions
  • Bank Account Information
  • Previous Vehicles with VIN numbers
  • Handwritten Signatures (full name & initials)

In a nutshell, this was a terrifying amount of someone else’s information to come into my possession by purchasing a used vehicle from a dealership. If you are selling your vehicle, be sure to remove all of this information before you hand over the keys! The dealership should have cleaned out the car, but apparently it is not a foolproof process. A PII bonfire is in my near future.

Stereo / Infotainment Inspection

Most modern infotainment and stereo equipment have features such as navigation Bluetooth audio and phone call functionality. 

Infotainment & Stereo items to check for personally identifiable information:

  • Bluetooth device pairing
    • Infotainment often lists what Bluetooth devices have been paired with the vehicle
  • Phone numbers & audio calls
  • Navigation history
  • Home or work addresses (in navigation)

I checked the newly purchased vehicle for what might exist.  Sure enough, the dealership did not clear out the infotainment settings prior to selling the vehicle to us. While this particular infotainment does not have navigation built-in, it does contain the list of all previously paired Bluetooth connections and contact information for those connections. 

How To Check Stereo & Infotainment For Personal Data:

To verify, I went into the ‘Config’ setting:

From there, select ‘Phone Settings’:

Select ‘Bluetooth’:

Select ‘Device List’:

Here we are presented with all devices that are hooked up to the vehicle’s Bluetooth. This reveals the device name, which in this case was the previous owner’s names.

To scrub it from the system, select the name and press ‘Delete’:

Some infotainment system settings bury this information underneath layers of configuration screens as it is not needed in a day-to-day basis. However, be sure to walkthrough these settings and clean them up before you sell your car, as you should be in control of your data and prevent it getting into the hands of unknown individuals.

Peripherals

This list wasn’t as prevalent in my car, but there are still some things that you should check.

Additional Personal Identifiable Information Items Within Vehicles:

  • Garage door openers
    • If your vehicle has the option, built-in garage door openers usually reside in rear view mirrors or buttons on the ceiling.
  • OnStar on GM vehicles (other brands have different types of network connectivity)
  • iPhone/Android application access

Personal Information In Vehicles

In summary, your vehicle contains a lot of information about your life and should be treated with the same data sensitivity that you might give your smart phone or computer. Be sure to follow your vehicle’s owner’s manual to disable any infotainment or accessory data that might have been ingested by your vehicle’s computers. Finally, make sure that your vehicle is clean of paperwork before saying goodbye.