I recently bought a new-to-me (euphemism for ‘used’) car. It is fancy– a term I use loosely given my history of driving pickup trucks or 10+ old cars running on their last few pistons. But this is a 2014 with all the luxuries model year 2014 offered us in the way of Bluetooth, smartphone connectivity, GPS, etc.
As a tech nerd I was excited to upload my entire digital life into the dash of my sedan and scurry off to the next client. However, as a security professional I encountered some concerning breadcrumbs about the last owner. As such, here is a proof of concept attack that will make you think twice before sending your car off to its next life
GPS –My first order of business was to program the GPS to send me home. The only problem—the previous owner’s home address was already listed. Along with his home address, the list of previously searched addresses and locations were included in the search history as well. Home, office, and even a vacation house were listed.
Contacts List and Call History – My next step was to connect my smartphone via Bluetooth. The previous owner had done the same, but never deleted the contact list and call logs that were saved in the dash’s memory, so I was served a nice list of all his primary contacts. The list included quite a few doctors as well. Given that my new-to-me sedan is a model favored by retirees, I’m sure with a little ingenuity, someone more nefarious than I could have easily exploited medical records from the list of doctors stored in his contact list.
So let’s recap. Because the previous owner didn’t take a few simple steps to delete his (or her) personal details I had his home address. A quick search through the local property tax records could have identified his name. I had access to his garage door opener, which could have given me physical access to the premises. Reviewing his phone records could identify frequent contacts like spouse and family and even a list of doctors. If that search were to be expanded to include online records, Facebook or LinkedIn could have identified employer information and additional personal connections—maybe even some of those phone numbers in the contact list.
To be clear, I did nothing disreputable with the information from my new-to-me car. I used the “delete all personal data” feature to wipe all the information discussed in this article. However, this proof of concept serves as a reminder that the technology that makes our life easier can also expose us in ways we don’t always consider. Expand this risk to your business practices—do you wipe the hard drives of PCs before returning them to the leasing company or disposing of them? Is part of the employee separation process removing access to mail, contacts and calendars from the user’s mobile device? What if your staff rents a car, syncs their mobile device, then forgets to delete the data that was synced? Information security goes far beyond protecting your computer. Don’t forget all the other, non-traditional locations data lives.
Bryan is a Partner at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.