You’ve no doubt heard the stories about cars being hacked over WifI or Bluetooth, but today I want to talk about an easier security risk: second-hand, hire and courtesy cars…

I’ve recently had my car in the garage to have it serviced, and I was provided with a reasonably new courtesy car. I had to drive a fair distance so paired my mobile phone over Bluetooth so I could listen to podcasts while driving. As part of the pairing process I was asked if I wanted to replace the existing contact list for the phone in the car, and that set me thinking…

I looked at the sat nav, and guess what? Several pages of addresses were listed, none of which I’d added: these had been created by those who had the car before me.

I looked at the list of connected phones, other than mine, and there were a couple of pages of paired phones, including some which said things like “John Smith’s iPhone”.

I looked at the existing phone contacts listed on the car – none of them were mine.

What does all this mean? It’s all pretty innocent stuff, right? Wrong.

I can now try to match “John Smith” with the addresses listed. I can use the phone contact list to look for people that “John Smith” might know: for example, on social media and sites like LinkedIn. I know what kind of phone he uses, so that tells me more about him too. This is all information I could use to mount a spear phishing attack, if I was so inclined.

Of course, I’m not so inclined: I’d much rather tell you about it so you can protect yourself.

So, what can you do? Simple: if you borrow a car, whether as a hire car, courtesy car, or if you’re selling your car, make sure you delete all your details including addresses and contact information before you hand the car back.

Advertisements