Putting GPS trackers and consumer privacy to the test

Whether you’re a consumer or a business owner, cybersecurity is becoming more and more important every day.  It’s a big concern. In fact, in a national survey we did earlier this year, 70% of consumers said they were concerned about their personal data being disclosed to the wrong people.

At the same time, most existing and soon-to-be new vehicle owners are worried about car theft — justifiably so due to an upward trend of stolen cars and trucks over the past year (+9.2%, according to the FBI).

Dealers can turn these two concerns into a business opportunity, providing solutions that enable quick recovery of stolen vehicles while at the same time protecting consumers from any potential privacy breach. But not all theft recovery solutions offer the same level of protection of consumer data. 

Do All GPS Trackers Protect Consumer Privacy?

While some GPS-based solutions are carefully designed to protect the devices and their data from hacking, others have very little or no protection at all. Why does this matter? With a poorly protected tracker, thieves could easily find a car’s location, allowing them to discover where the owner lives, where they work, and even where their kids go to school.  And car dealers selling insecure solutions run the risk of incurring their customers’ wrath.

Kudelski IoT Security Labs runs one of the world’s most advanced security testing labs for connected devices like GPS trackers, so we decided to look at two different tracking solutions in depth, one a traditional wired-in solution, and the other a next-generation, battery-powered, wireless solution. 

The Bad News: Solution A

Solution A is usually installed by a dealership technician who connects it to the vehicle’s battery. When we examined this solution, we found some shocking things.  We were easily able to find out the phone number the device used to communicate with the cellular network. We could then get it to provide us with its exact location simply by sending it a text message using commands we found published on the internet.  This on its own represents a violation of consumer privacy and opens people up to dangers like stalking, theft and other crimes. If the system were designed with security in mind, we wouldn’t have been able to get that information.

We also discovered that hackers could get the tracker to send out a false location. And they could even disable the tracker altogether by remotely tampering with its software.

That means that the owner and police would have no way to track the car when stolen. Or even worse, thieves could send authorities searching in the wrong direction.  

For consumers using poorly secured devices, the problems associated with these threats are obvious.  If you’re a car dealer selling these devices to your customers, you risk bad PR, decreased revenue, loss of trust and perhaps even liability issues if a solution you sold is compromised. 

But thankfully there’s also good news!

The Good News: Solution B

Our testing of Solution B – a next-generation wireless tracking device – found NONE of the same weaknesses.  It successfully protected location information from hackers, only enabling the actual owner of the device to access their car’s position. This device also had strong protections in place to ensure no one could remotely disable it or tamper with it, ensuring it was always available to report the vehicle’s correct location. For consumers, this means their privacy and safety are protected. It also improves the chances they’ll be able to get their car back fast if it’s stolen. For car dealers, it means satisfied customers and no liability issues from compromised devices.

How to Choose Which Product to Buy or Sell? 

There are three key questions dealers should ask about vehicle tracking devices before they agree to sell them to their clients. 

• Is the device designed with data privacy in mind? Is location data protected?
• What has been done to protect the device from hackers so it can’t be tampered with or disabled?
• Is the company that designed the device using internal or external security experts to test the end-to-end security of the solution? 

If you don’t get satisfactory answers to all these questions, then it’s probably better to steer clear of selling devices from that company.

Did you enjoy this article from Joël Conus? Please share your thoughts, comments, or questions regarding this topic by submitting a letter to the editor here, or connect with us at newsroom@cbtnews.com.