“This isn’t just a Tesla thing, it’s every single infotainment system,” said Justin Schorr, president of DJS Associates, a vehicle forensics firm that reconstructs crashes using on-board data. “Think of all the vehicles with screens, this is ubiquitous almost.”
Infotainment systems have become common on vehicles in the last decade. They collect data, which can include our smartphone’s contacts, emails, call history logs, photos and text messages. There aren’t well-known examples of concerning uses of this data when taken from cars, but personal data has been misused when gathered from other sources. Our vehicles may be the next vulnerability that’s exploited.
“Everything that can be used for a nefarious purpose, will eventually be found by a nefarious person and used for a nefarious purpose,” Schorr said. “If you pair your phone with a rental car, and that car gets in a crash two years later, personal information about you could be pulled off it.”
Generally, specialized skills and training are required to access a car’s infotainment system and all of the data stored on it. A car’s dashboard may need to be removed to access the system.
Given the risks, cybersecurity experts recommend doing a factory reset of a vehicle when selling it, or when returning a rental car that you paired your phone with.
Some suggest going even further.
Phil Neray, vice president of Internet of Things and industrial cybersecurity at the start-up Cyber X, said that before selling a car, do a factory reset and then take the vehicle to a dealer and ask them to wipe it clean of data. The factory reset may not sufficiently remove all data present.
To completely sidestep the issue, a consumer could buy a cigarette lighter charger, and use that rather than plugging their smartphone in the USB port. However, then they won’t be able to enjoy the benefits of pairing their phone with the infotainment system.
In the long run, consumer awareness of the issue may be needed most to be impactful and better protect personal data.