Home » Someone Just Told Me They Can Remotely Unlock The Doors To A Car They No Longer Own, And It Turns Out It’s Not Uncommon

Someone Just Told Me They Can Remotely Unlock The Doors To A Car They No Longer Own, And It Turns Out It’s Not Uncommon

Mazda App Control Ts4
ADVERTISEMENT

When buying a used car, few of us think about security. Sure, it’s possible the former owners kept a key, but most of us just accept that and move on with our lives. However, there’s another factor you should be thinking about when buying a used car, whether you buy privately or from a dealer. Through the use of connectivity apps hooked into a car’s infotainment system, it’s possible for a former owner to open your car, start it, or even track your location.

It might sound like Hollywood nonsense, but it’s a real thing, here and now. A huge number of automakers now offer apps that will let you unlock your car or start the heating from the convenience of your smartphone. Some even let you track your car’s position, check the battery level, or monitor tire pressures and any warning lights on the dash. Using these services normally involves downloading the app on your smartphone, and then going through a process to pair the app with your vehicle. You can then control various features remotely, with the vehicle relying on a cellular data connection for this functionality.

Vidframe Min Top
Vidframe Min Bottom

The problem is that a car doesn’t know when it has been sold. This applies whether you’re getting rid of your car on Craigslist or you’re trading it in to a dealer. Unless somebody takes the decisive action to wipe existing app users from the car, they remain connected to the vehicle. Thus, it’s entirely possible for a former owner to track the position of a used car, and potentially even unlock it, start it, and drive away if they were so inclined. Or, they could simply clown the new owner by messing with settings and the like. It’s not a one-off problem, either—our research indicates this is very much happening on the regular.

This story landed on our desk thanks to the experience of Phillip Tracy, brother to our own David Tracy himself. His story is just one example of a phenomenon happening to a bunch of owners of cars of all different makes (We’ve already written about former Tesla owners tracking their Model Ss months after having sold them — two folks mentioned that their former cars had actually somehow made it to Ukraine). Phillip had recently traded in a 2021 Mazda CX-5 on the purchase of a new car, having enjoyed its connectivity features while owning it. And yet, when the deal was done and the Mazda was gone, something curious happened. “I continued to receive alerts from the MyMazda app about the status of my previous vehicle,” explains Phillip. “For several nights in a row, I received a notification that the car had been unlocked.”

Screenshot 20240210 133050
The MyMazda app gave Phillip a great degree of access to the car, even after he sold it.

Screenshot 20240210 133151 E1708434140730 (1)x

ADVERTISEMENT

The car, as far as Phillip was aware, was still at the dealership, and was listed for sale on their website. “When I opened the MyMazda app, I could view the vehicle status including whether the vehicle was locked/unlocked along with remaining fuel, mileage, [and] VIN details,” he says. He quickly realized that this wasn’t a good thing. “More troubling than that, my remote app controls still seemed to function… I could attempt to lock, unlock, and remote start the car.”

Not wanting an undue level of control over somebody else’s car, Phillip did the reasonable thing. “I notified the salesperson at my local Audi dealer, advising them to wipe the CX-5’s system so this sensitive information and safety functionality was withheld from anyone but a new owner,” he explains. And yet, even then, it appeared little was done to rectify the situation. “I continued to receive notifications even after the car was delisted from the Audi dealership website.”

Phillip couldn’t be sure if the car had been sold to a new owner, but he suspected as much given the car was no longer listed online. At this point, he was still getting regular notifications on the Mazda app, and it appeared that he could still unlock or start the car if he so desired. “The remote functionality appeared to function… the “press and hold” to unlock/lock/remote start dial would begin to count down,” he says. “I did not fully attempt to use any of those features to avoid disturbing a potential new owner or possibly putting them in danger.”

To solve the problem, Phillip went ahead and “unenrolled” himself from the Mazda’s VIN within the app, permanently disconnecting him from the vehicle. “The VIN still appears on the front page of the app but I need physical access to the vehicle to re-enroll,” he says. That stopped him getting notifications, and cut any remote access he had to the vehicle.

How To Track Your Bmw Via Gps With The Security App. 0 11 Screenshot
Some apps even allow tracking the vehicle’s location, and the setting of “tripwires” that will set off a notification in the app when the vehicle is moved.

This isn’t a one-off occurrence, and it’s not just Mazda, either. Look around and you can find stories like this one everywhere. One former Mazda owner on Reddit noted they still had access to the MyMazda app a month after selling their vehicle. It’s not just limited to Mazda, either. This can happen with any automaker’s vehicles with similar functionality. In 2021, WGME reported on cases involving the FordPass app, while BMW owners have taken to forums to complain of similar issues.

ADVERTISEMENT

Phillip was mature enough to handle this properly, but you can’t rely on that always being the case. Even outside stalking or theft, there’s plenty of room to use these apps to irritate and annoy someone by forever unlocking their car or starting the engine at random hours. Sure, the vast majority of adults aren’t so stupid and petty [Editor’s Note: Hold my beer – JT], but the possibility exists because of these apps.

Screenshot 2024 02 20 151034 (1)x

Screenshot 2024 02 20 151219 (1)x

 

 

ADVERTISEMENT

Screenshot 2024 02 20 151412x

Img 2682x
Mazda makes it clear that it’s an owner’s responsibility to cancel their service.

Multiple automakers have made it clear that it’s on individuals—either those disposing of a car, or those buying one—to deal with this issue. The FTC has also noted that good automotive security goes both ways, and that owners should be clearing data from their cars prior to sale.

That sounds all well and good, but it can be a real frustration at times. Some buyers of used Toyotas have had to pick up the phone and deal with paperwork in order to register an app with their cars, because the previous owners never bothered to disable their connection. Honda owners have been through similar experiences trying to gain full access to a car they’ve  already bought and paid for.

Obviously, in a private sale, it’s easy to understand how responsibility comes down to the seller and/or buyer. On the other hand, you might think a used car dealership would handle this sort of thing for its customers, but it’s by no means always the case. While these systems have been around for years now, it seems that resetting them hasn’t become a checklist item for dealers processing used cars.

To a degree, it’s understandable. It would be difficult for a dealership to know the processes required to reset or unpair every single kind of infotainment system from every single automaker. This is especially the case for those automakers that require more strenuous processes like jumping on the phone to verify ownership details. Furthermore, by and large, people generally don’t seek to cause havoc with their old vehicles after selling them, so it likely hasn’t been a major problem for most dealers. It’s possible that a notable incident or two could change practices in the industry, but there doesn’t seem to be much impetus for change at this point.

ADVERTISEMENT

In any case, it’s a lesson that you have to look out for yourself in this regard. If you’re buying a new car with any sort of remote connectivity features, ensure that past owners have been unpaired from the system. Similarly, if you’re selling up, you’ll want to be clearing out all your private data from the vehicle and severing the connection yourself.

Image credits: Phillip Tracy, Hyundai via screenshot, BMW via YouTube screenshot, Mazda

Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Subscribe
Notify of
31 Comments
Inline Feedbacks
View all comments
Hugh Crawford
Hugh Crawford
8 months ago

Doesn’t someone have to pay a cell service provider, have a sim chip etc. to maintain connection with the car?

Mark M
Mark M
8 months ago
Reply to  Hugh Crawford

Mazda, at least, includes 3 years of connectivity with their cars – sometimes more. At some point yes, you gotta pay.

Mr E
Mr E
8 months ago

Because I know the vast majority of my customers never bother (or, more accurately, cannot be bothered), the first thing I do with either a lease return or a trade in is perform a Master Reset on the vehicle.

Takes 2 minutes tops, and it avoids a complaint about privacy down the road, even though it’s really the customers’ responsibility. Job done.

Defenestrator
Defenestrator
8 months ago
Reply to  Mr E

Does that clear out all the remote app access as well, or just local data?

Mr E
Mr E
8 months ago
Reply to  Defenestrator

It wipes everything clean – contacts, saved destinations as well as the FordPass connection.

William Sheppard
William Sheppard
8 months ago

I still had access to the Kia Telluride I sold like, two years ago until this article prompted me to check. At the time I sold I <couldn’t> remove the Kia from my account until another owner claimed it – fortuantely Kia seems to have finally changed that setting so I was able to delete it! Hooray!

OnceInAMillenia
OnceInAMillenia
8 months ago

Should the former owner be responsible for doing this? Absolutely, but it shocks me that this isn’t standard procedure on a PDI checklist for any major dealer, at the very least one who matches the brand of the car being sold (e.g. a Mazda dealer ought to double check that trade in Mazdas are deactivated).

I say this because I know VW dealers can activate CarNet subscriptions during new car trial periods, so the ability exists for them to open the system, provision a new user account, and tie it to the car. It should be trivial to cut off old user access if the dealer has taken possession.

Double Wide Harvey Park
Double Wide Harvey Park
8 months ago

> It would be difficult for a dealership to know the processes required to reset or unpair every single kind of infotainment system from every single automaker.

Not really. All it takes is for the sales person to google it on their phone in between two salvos of spam texts to potential customers.

EVDesigner
EVDesigner
8 months ago

Hahahaha bold of you to consider sales people as benefits to society. They’re too busy selling another car with markups.

Toecutter
Toecutter
8 months ago

Another point in favor of a simple car with mechanical door locks/handles, roll-up windows, a mechanical ignition, and real buttons controlling everything, without ANYWHERE for a phone to control access to anything on the car.

I think cars from the 1990s and early 2000s had the right balance of tech vs simplicity. Everything after has been purely extraneous and redundant, at the cost of all sorts of exploits, hacks, vulnerabilities, and additional maintenance/repair costs foisted upon the owner.

Phuzz
Phuzz
8 months ago
Reply to  Toecutter

I mostly agree with you, but having a key fob to remotely unlock my car came in handy last year, when some arsehole tried to break in and thoroughly mashed up the door lock to the point where a key wouldn’t even fit in it.

Dingus
Dingus
8 months ago
Reply to  Phuzz

I’d like to have an option where you can just disconnect the online services from the car itself.You know, like how you can turn off your cell radio/wifi/bluetooth on a phone by putting it into airplane mode?

I am a little worried about the next car purchase since anything reasonably modern will come will all of this stuff. I don’t want all my car’s telemetry being sent back to a manufacturer or shared with other 3rd parties who might buy it.

Yes, I’m a paranoid weirdo, I physically removed the hardware bridge that connects my car’s onstar unit from the cellular radio. I don’t use onstar, but it keep sending back data that I didn’t ask it do and there’s no way to opt out (short of doing what I did). I’d like to have some control over what my car tells strangers. I don’t see that happening anytime soon short of a lot of weird monkey business with car software that could potentially break important stuff.

Maybe I can get my car a tinfoil hat to match mine.

Totally not a robot
Totally not a robot
8 months ago

This is also a major problem for civil issues like divorces — there was a piece in NY Times a while ago about the issue. People can track and harass their exes through the app. For people who have separated but not legally divorced, they’re in an even tougher spot if both spouses are on the title, because car manufacturers refuse to remove the harasser from the app, since they still have legal ownership of the car.

Space
Space
8 months ago

The only way an app is getting into any of my cars is if they use the app to hire a locksmith, or a hammer to smash my windows I guess.

OttosPhotos
OttosPhotos
8 months ago

A friend sold his Focus EV to Carvana, and for several months after that, he was still able to locate the car via the app. Don’t remember if he could unlock the doors or remote start it though.

Mr Sarcastic
Mr Sarcastic
8 months ago

Duh am I the only person who realizes if the previous owner doesn’t disconnect the app all their information is still saved in the vehicle and they have far more to lose? Phone numbers acct numbers contacts everything. Having just bought a used car Toyota I called a few dealers. Moat service department s didn’t know it was a thing. But one said they have the ability to cut access pretty easily.

Last edited 8 months ago by Mr Sarcastic
Chartreuse Bison
Chartreuse Bison
8 months ago
Reply to  Mr Sarcastic

For the record, any car new enough to have an app isn’t saving numbers. It loads the contacts when the phone connects. Though addresses and stuff are gonna be there.
And yeah unlinking is just typing in a VIN on a webpage and hitting unlink. It’s just a hassle over the phone because they have to verify you are the new owner.
And that just takes out the app on anything but the newest entertainment system (Which is cloud based, yes it’s as dumb as it sounds)

Last edited 8 months ago by Chartreuse Bison
Mr Sarcastic
Mr Sarcastic
8 months ago

Thanks for the info

Jack Beckman
Jack Beckman
8 months ago

I also experienced this after trading in my Buick Enclave. I personally reset the infotainment to factory and called Onstar to let them know the car had been traded in to a dealer and I no longer owned it. In spite of that, I got an alert a few days later from the MyBuick app that I hadn’t remembered to delete. So I unenrolled the car and then deleted the app.

At the end of the month, Onstar sent me a email with the car’s status (I had signed up for them when I owned it) and a follow-up email reminding me that I needed to re-up to Onstar if I wanted to keep using most of the apps features. So I called them AGAIN and told them AGAIN that the car was traded in.

Amazingly, the rep told me that they confirmed that I called a month before and told them the car was no longer mine. I was too dumbfounded to ask “so why am I still getting alerts?” She assured me that they would take me off the car at that point, and I haven’t gotten an alert since.

So even if you try to disconnect it’s hard to actually do.

Last edited 8 months ago by Jack Beckman
Geoffrey Reuther
Geoffrey Reuther
8 months ago
Reply to  Jack Beckman

Ah, yes, I see they’ve been taking tips from AOL and SiriusXM on how to handle customer disconnects…

Jmfecon
Jmfecon
8 months ago

Not only apps. Check the radio for contacts and even text messages for those cars that have those radios without Carplay/Android auto.

And profiles, a lot of cars have profiles nowadays, that may have lots of information.

Wife was looking for newer car. I was amused by the amount of information I could find in the infotainment systems.

Just waiting for these new cars that stores pictures go to the second hand market. That will be fun.

Squirrelmaster
Squirrelmaster
8 months ago
Reply to  Jmfecon

As someone who rents cars often, I habitually purge the car of all traces of me before returning it. I also take the time to purge the data of all of those who rented the vehicle before me but never deleted their phone from the car.

As you note, it is wild the amount of info you can get from a car’s infotainment system.

Zerosignal
Zerosignal
8 months ago
Reply to  Jmfecon

My cars both have the previous owners’ addresses set as “home” in their navigation systems. I plan to leave it that way, especially in my Hyundai that has the Kia Boyz vulnerability, thst way if someone steals it and wants to go to my house, they will end up at the wrong address.

Jmfecon
Jmfecon
8 months ago
Reply to  Zerosignal

That’s something I always avoided, specially because the garage door remote control is always in the car. That and leaving anything in paper that could have my address in the car.

Cryptoenologist
Cryptoenologist
8 months ago
Reply to  Jmfecon

In many places you are required to have registration in the car at all times. I suppose you could carry it around but that seems inconvenient if more than one person uses the car. Luckily we use PO Boxes in my town so that’s all anyone would find out.

EXL500
EXL500
8 months ago

Mine is hidden under a rubber insert in the console.

Defenestrator
Defenestrator
8 months ago

In CO at least, they give you a registration slip that doesn’t have your address on it along with one that does.

Cryptoenologist
Cryptoenologist
8 months ago
Reply to  Defenestrator

That’s thoughtful! In MN they give you a registration slip but you don’t actually have to keep it in the car. We live in CA now and you’ve gotta have it.

Last edited 8 months ago by Cryptoenologist
Double Wide Harvey Park
Double Wide Harvey Park
8 months ago
Reply to  Zerosignal

Classic spycraft

Vetatur Fumare
Vetatur Fumare
8 months ago
Reply to  Zerosignal

Change it to a nearby police station 🙂

31
0
Would love your thoughts, please comment.x
()
x