Land Rover Telematics Not Secure – Gee, I Am Surprised
While I have written about this in general before, this item is specific to the Land Rover and its “Discovery” model. If this is a surprise to you, it should not be.
If you buy a used Land Rover, it is possible (likely) that the previous owner can still control your car through the Land Rover app or web site.
In *THEORY*, if you trade your Land Rover to an *AUTHORIZED* dealer, they are supposed to reset the telematics module to disconnect the previous owner. That does not always happen.
In addition, in the case of a private sale or a sale through a used car dealer, that probably never happens.
When the writer of the article liked below tried to link his newly acquired used Land Rover to the app, it said it was still connected to the previous owner.
That previous owner could unlock the care, adjust the climate and using the nav system see where he had gone and where he currently was.
Land Rover’s call center is apparently not trained to deal with it because they told him to find the previous owner. Sure! Right!
After the Register contacted Land Rover’s press office, sensing a PR disaster, they said that they could have handled it better.
They did say that he could take the car to the dealer and the dealer would reset it. Probably for a not-so-nominal fee, but they did not address that.
So, as a buyer of a used car, what do you need to do?
First of all, hopefully, if the car is a new car from the dealer, this should not be a problem. This is only a problem with used cars.
If you buy a used car from a dealer, at the time of sale you should ask the dealer to confirm that they have reset the telematics. To be safe, you can get the dealer to help you download the app and connect the car to the app. That way if the dealer is lying, you can call him on it right then, right there.
If it is a private party sale, you can ask the seller if he released the car from the app, but again, the best way to do it is to download the app while the previous owner is still within arms length and you can strangle him (figuratively, please).
One other note.
With laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, it is likely completely illegal for the car’s manufacturer to continue to collect data after the car is sold on the used car market. After all, even if the first buyer granted the manufacturer permission to collect data, the second buyer almost certainly did not and both laws have very explicit requirements for how the disclosure and opt in/opt language has to read. I think the courts will side with the used car buyer saying that the manufacturer did not provide “clear and conspicuous notice”. Expect a nice, juicy class action soon.
Information for this post came from The Register.