When buying a used car, few of us think about security. Sure, it’s possible the former owners kept a key, but most of us just accept that and move on with our lives. However, there’s another factor you should be thinking about when buying a used car, whether you buy privately or from a dealer. Through the use of connectivity apps hooked into a car’s infotainment system, it’s possible for a former owner to open your car, start it, or even track your location.
It might sound like Hollywood nonsense, but it’s a real thing, here and now. A huge number of automakers now offer apps that will let you unlock your car or start the heating from the convenience of your smartphone. Some even let you track your car’s position, check the battery level, or monitor tire pressures and any warning lights on the dash. Using these services normally involves downloading the app on your smartphone, and then going through a process to pair the app with your vehicle. You can then control various features remotely, with the vehicle relying on a cellular data connection for this functionality.
The problem is that a car doesn’t know when it has been sold. This applies whether you’re getting rid of your car on Craigslist or you’re trading it in to a dealer. Unless somebody takes the decisive action to wipe existing app users from the car, they remain connected to the vehicle. Thus, it’s entirely possible for a former owner to track the position of a used car, and potentially even unlock it, start it, and drive away if they were so inclined. Or, they could simply clown the new owner by messing with settings and the like. It’s not a one-off problem, either—our research indicates this is very much happening on the regular.
This story landed on our desk thanks to the experience of Phillip Tracy, brother to our own David Tracy himself. His story is just one example of a phenomenon happening to a bunch of owners of cars of all different makes (We’ve already written about former Tesla owners tracking their Model Ss months after having sold them — two folks mentioned that their former cars had actually somehow made it to Ukraine). Phillip had recently traded in a 2021 Mazda CX-5 on the purchase of a new car, having enjoyed its connectivity features while owning it. And yet, when the deal was done and the Mazda was gone, something curious happened. “I continued to receive alerts from the MyMazda app about the status of my previous vehicle,” explains Phillip. “For several nights in a row, I received a notification that the car had been unlocked.”
The car, as far as Phillip was aware, was still at the dealership, and was listed for sale on their website. “When I opened the MyMazda app, I could view the vehicle status including whether the vehicle was locked/unlocked along with remaining fuel, mileage, [and] VIN details,” he says. He quickly realized that this wasn’t a good thing. “More troubling than that, my remote app controls still seemed to function… I could attempt to lock, unlock, and remote start the car.”
Not wanting an undue level of control over somebody else’s car, Phillip did the reasonable thing. “I notified the salesperson at my local Audi dealer, advising them to wipe the CX-5’s system so this sensitive information and safety functionality was withheld from anyone but a new owner,” he explains. And yet, even then, it appeared little was done to rectify the situation. “I continued to receive notifications even after the car was delisted from the Audi dealership website.”
Phillip couldn’t be sure if the car had been sold to a new owner, but he suspected as much given the car was no longer listed online. At this point, he was still getting regular notifications on the Mazda app, and it appeared that he could still unlock or start the car if he so desired. “The remote functionality appeared to function… the “press and hold” to unlock/lock/remote start dial would begin to count down,” he says. “I did not fully attempt to use any of those features to avoid disturbing a potential new owner or possibly putting them in danger.”
To solve the problem, Phillip went ahead and “unenrolled” himself from the Mazda’s VIN within the app, permanently disconnecting him from the vehicle. “The VIN still appears on the front page of the app but I need physical access to the vehicle to re-enroll,” he says. That stopped him getting notifications, and cut any remote access he had to the vehicle.
This isn’t a one-off occurrence, and it’s not just Mazda, either. Look around and you can find stories like this one everywhere. One former Mazda owner on Reddit noted they still had access to the MyMazda app a month after selling their vehicle. It’s not just limited to Mazda, either. This can happen with any automaker’s vehicles with similar functionality. In 2021, WGME reported on cases involving the FordPass app, while BMW owners have taken to forums to complain of similar issues.
Phillip was mature enough to handle this properly, but you can’t rely on that always being the case. Even outside stalking or theft, there’s plenty of room to use these apps to irritate and annoy someone by forever unlocking their car or starting the engine at random hours. Sure, the vast majority of adults aren’t so stupid and petty [Editor’s Note: Hold my beer – JT], but the possibility exists because of these apps.
Multiple automakers have made it clear that it’s on individuals—either those disposing of a car, or those buying one—to deal with this issue. The FTC has also noted that good automotive security goes both ways, and that owners should be clearing data from their cars prior to sale.
That sounds all well and good, but it can be a real frustration at times. Some buyers of used Toyotas have had to pick up the phone and deal with paperwork in order to register an app with their cars, because the previous owners never bothered to disable their connection. Honda owners have been through similar experiences trying to gain full access to a car they’ve already bought and paid for.
Obviously, in a private sale, it’s easy to understand how responsibility comes down to the seller and/or buyer. On the other hand, you might think a used car dealership would handle this sort of thing for its customers, but it’s by no means always the case. While these systems have been around for years now, it seems that resetting them hasn’t become a checklist item for dealers processing used cars.
To a degree, it’s understandable. It would be difficult for a dealership to know the processes required to reset or unpair every single kind of infotainment system from every single automaker. This is especially the case for those automakers that require more strenuous processes like jumping on the phone to verify ownership details. Furthermore, by and large, people generally don’t seek to cause havoc with their old vehicles after selling them, so it likely hasn’t been a major problem for most dealers. It’s possible that a notable incident or two could change practices in the industry, but there doesn’t seem to be much impetus for change at this point.
In any case, it’s a lesson that you have to look out for yourself in this regard. If you’re buying a new car with any sort of remote connectivity features, ensure that past owners have been unpaired from the system. Similarly, if you’re selling up, you’ll want to be clearing out all your private data from the vehicle and severing the connection yourself.
Image credits: Phillip Tracy, Hyundai via screenshot, BMW via YouTube screenshot, Mazda
