Shock Land Rover Discovery: Sellers could meddle with connected cars if not unbound Both data and the online controls on "connected cars" from Jaguar Land Rover remain available to previous owners, according to security experts and owners of the upmarket vehicles. The car maker has defended its privacy safeguards and security of its InControl tech. El Reg began investigating the issue after talking to Matt …
If only it were possible for JLR to be able to confirm current owner identity by linking to the current insurance carrier of the vehicle. If the current insured name doesn't match what JLR already has, just send out a notification postcard to the insured on file that they need to come in for a reset.
Big if. But a rather simple fix to the whole situation if that's possible.
My 2015 F-Type came from main dealer couple of years back as ex demo. I found the app and registered online before car was ever delivered to me. All I needed was vin and reg etc, all online and I could see the car and even START IT... Even before I'd touched it. Point being, I didn't need to press any keys and the jag app also let's you start the vehicle to cool/heat remotely.
I would be very surprised if this was only JLR, I have an old car and not affected by any of this nonesense but have seen Peugeots that will automatically install and app on your phone when you connect to to teh car and that also records all your journeys and stuff.
One thing to bear in mind is when you last bought a second hand car did you get all the keys? I know of one casde where premium cars were sold and stolen back cloned and sold again several times using this method.
Personally the whole car connected thing comes under "just because you can, doesn't mean you should".
So it's perfectly normal, and indeed necessary, for your car to have an online account to which it posts all sorts of stuff - "Facebook for vehicles"?
The big question is not how to manage this, but why it's the case at all. As the lawyers say: “Qui bono?” - who gains from it? What possible benefit could there be to the owner of a car to have its journeys tracked, its air conditioning adjusted and its doors unlocked via the internet?
I run a very reliable car old enough to have none of this computerised junk on board. I seem to be able to do everything I need with it, and there's no need to worry about its previous owners.
Newish BMWs have the same capabilities although I think a lot of it is disconnected unless you pay the subscription after 3yr. When I got mine certainly the old data had been cleared.
However I also recently bought a used Mini (62 plate) and it still had the previous owners phone book installed. Which I noticed when the car tried repeatedly to call 'Janet'. I don't know a Janet. That wasn't from a Mini dealer.
I have recently had to drive various infirm elderly relatives (in their cars). Being old they can afford newer cars than me, I soon learned to take cig lighter USB adapter to keep my phone charged in the cars (using phone as Sat Nav burns battery so need to keep it charged) - if I used the USB slot in the new cars they instantly tried to connect to my phone - link it to car so I could make / take calls, play my music etc.
All recent-ish Jaguars (so I'm presuming the same is true for the LR side of the business) use the touchscreen to control valet mode, rather than having a seperate valet-mode key. You do have to then remember to take the emergency keyblade out of your fob before giving it to the valet though, otherwise resetting the car back to normal mode is trivially easy...
The sale and transfer of a car is now likely to involve the manufacturer regardless of private or dealer transaction.
It's not really like any other tech, as I don't need to engage a third party I may have had no relationship with to clear and sell my phone.
Your personal data, along with the car's data is now spread out across your phone, internally within the car, and with the manufacturer. Just deleting your app (unlikely) or, resetting your car (even less likely) is not sufficient. The car does not change it's credentials on transfer either, VIN number stays the same for the life of the car. Where does this lead? Confusion over data being mine and personal, data that is car specific for the manufacturer and a vast, Ill considered gulf of grey between as current discussion shows. Overall modern cars are not "yours alone" like cars used to be before they gained SMART (oxymoron alert).
Relying on the seller to de-register is pointless and may be unfeasible if they are not alive, abroad, incapacitated, phone stolen or account closed etc. This is simply unworkable.
There needs to be some new broader thinking about how we now effectively borrow cars from the manufacturer regardless of the process we went through to get the keys...
Apparently, you think JLR should monitor all their vehicles and some how know when they are sold off?
Of course not. But you do have to think of the process... and bump it up against a few things.
It's the typical security see-saw balance of usability versus security.
Make it too easy, then a auto thief can easily make changes so you can't track the car.
Make it too hard, then the owner gets upset.
Like any new technology where security is involved, it takes a bit for a good balance to be struck. So in the mean time, don't get too pissy about the situation. Instead, work to find a balanced solution. This is what security professionals are supposed to do.
My car was stolen. And it's always an awful shock. The GPS, as ever is with the previous owner. As the car was purchased at auction by the car sales, the previous owner could not be contacted.
I thought as it was a theft Jaguar would help. They wouldn't give me the GPS coordinates to at least get a 'what' happened to the car. If it had have been on the day, maybe I could have recovered it.
The thieves must be laughing so hard, that a 2017 Jaguar has no tracking due to this farce. On transfer of ownership there are 101 triggers. And a piece of code could delete the old user. Even an email to have them confirm is easy.
So so frustrating when it's a stolen vehicle and they only talk about data privacy.
Most spares for this line of cars have prices that make the eyes water. The ever creative VietNamese ne'er do wells can remove mirrors, for resale, with the greatest of ease.
https://v.vnecdn.net/vnexpress/video/web/mp4/360p/2017/05/09/trom-be-doi-guong-range-rover-chi-25-giay-1494303210.mp4
I needed the GPS for my stolen XE. A good time I would say to over ride an already broken system.
They said only the previous owner could do that. Even in this extenuating circumstance.
It is a simple pieces of code to remove the previous owner for incontrol also. It should be an automated procedure, thus allowing the new owner to enter VIN and add their details/account with no ownership by a previous owner.
I described a scenario to exaggerate the point. A kidnapping or someone stuck in the mountains.
So in a life or death scenario would they assist. They have all the data, user accounts are irrelevant. It's just a web front end to their back end DB.
I am sure they would act for a politician, celebrity. As they wouldn't want adverse publicity. Average Joe would have to do a Liam Neeson and track the previous owner down. Ha ha ...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
