Connected Vehicles, EVs & Transportation Hacking
Modern cars are data centres on wheels. They collect location, behaviour, identity, and audio, and share it with parties most drivers have never heard of.
The Car That Stayed Behind
Mariam sold her car after a separation. She wiped her phone and changed her social media passwords. She felt like she had covered her tracks.
Three weeks later, her ex-partner knew she was visiting a friend in another city. She had told no one.
A digital safety advocate helped her trace the leak. Her old car's infotainment system still had her Google account logged in. The new owner had not reset it, and her location history was still syncing.
The car she no longer owned was reporting her movements.
What Is Actually Happening
92%
of tested used vehicles retained personal data from the previous owner, including contacts, location history, and linked accounts.
Selling or renting a car without a factory reset is equivalent to handing over a memory stick with your travel history on it.
Source: Mozilla Foundation "Privacy Not Included" Car Study, 2023All Major Brands Collect Location Data
Mozilla's 2023 study found that every major car manufacturer collects more data than necessary and most share or sell it. 76% have unclear data deletion policies. Tesla, Volkswagen, and GM each received failing privacy grades.
Driving Data Used to Raise Premiums
Multiple US insurers used telematics data from connected cars to retroactively raise premiums for customers who had not opted into monitoring programmes, the data was obtained via manufacturer data-sharing agreements the driver never directly consented to.
Five Vehicle Data Risks
GPS Location History and Surveillance
Every journey is timestamped and stored. Manufacturers retain this data, often indefinitely. Law enforcement accesses it via warrant, and in documented cases, without one at the point of initial collection. Charging station logs from EV networks have been separately sold to data brokers, creating a movement history independent of the vehicle manufacturer.
Dashcam and In-Cabin Footage
Dashcams and in-cabin cameras record driver and passengers. Some manufacturers store clips server-side. Tesla's Sentry Mode footage has been subpoenaed in criminal cases. A 2023 case documented a vehicle recording footage of nearby protests and uploading it without active user knowledge.
Bluetooth Pairing Logs
Every device ever connected to a car's infotainment system is logged. Forensic extraction of Bluetooth logs from rental and sold cars has been used to place specific individuals in vehicles at specific times. This data survives after the phone is disconnected and persists unless the system is reset.
Ride-Sharing App Vulnerabilities
Uber, Lyft, and similar platforms retain journey origin and destination, timestamps, account identity, and payment information. Both have complied with thousands of law enforcement data requests annually, in some cases without a warrant under emergency disclosure provisions.
Physical Danger from Vehicle Compromise
Researchers have demonstrated remote access exploits on multiple connected vehicle platforms, including the ability to disable brakes, control steering, and remotely unlock doors. While mass exploitation remains rare, targeted attacks on high-profile individuals are documented. Vehicle software patching is as important as phone patching and is frequently neglected.
Try It: Your Car Knows
Tap each data point to see who has access, whether you consented, and one documented real-world case.
What That Just Showed You
Every data type has a different recipient.
GPS goes to the manufacturer and potentially law enforcement. Charging data goes to the network operator. Bluetooth logs stay on the device. Insurance telematics goes to the insurer via separate agreement. There is no single point of control.
Most sharing happens without your direct consent.
Manufacturer-to-insurer data sharing is governed by contracts between those companies, not by a choice you made. Drivers who never opted into telematics programmes have had their premiums raised using data obtained this way.
The factory reset gap is the most common oversight.
92% of tested second-hand vehicles retained the previous owner's personal data. It is not a rare edge case — it is the default outcome when a car changes hands without a deliberate reset step.
Three Things Worth Doing
1. Factory reset the infotainment system before selling, trading, or returning a rental. This removes accounts, contacts, and location history. Check the owner's manual for your specific model.
2. Review your manufacturer's connected services settings. Most manufacturers offer a data sharing opt-out in vehicle settings or the companion app. It may reduce some features but significantly reduces your data exposure.
3. Delete your ride-share trip history periodically. Uber and Lyft allow manual trip history deletion from account settings. Do this regularly.
One Question Before You Continue
Mariam factory-reset her phone and changed her social media passwords after her separation. But her ex-partner still knew her location. What did she miss?