Bhargab Acharya and Christos Papadopoulos, University of Memphis; Sam Lauzon and Spiros Thanasoulas, unaffiliated; Bidhya Shrestha, University of Memphis
This study exposes a critical privacy vulnerability affecting millions of vehicle owners: the persistence of personal data in discarded automotive infotainment systems. Our research demonstrates how easily accessible these systems are through secondary markets, where components from vehicles as recent as 2020 can be acquired for just $20-100. With minimal effort, we extracted extensive personal information including contact lists, precise location histories, and even active authentication credentials that could potentially compromise vehicles still in operation. The scale of this privacy risk is substantial—U.S. Census data shows over 150 million modern vehicles remain on American roads, with millions processed through the salvage industry annually. Unlike smartphones or computers, vehicles often remain in service for 15+ years with minimal software updates, creating an expanding universe of vulnerable platforms containing personal data. Most concerning, we found recent model vehicles (2016) running severely outdated software with known security vulnerabilities. Our findings highlight an urgent need for revised automotive privacy frameworks, mandatory secure deletion mechanisms, and industry-wide adoption of privacy-by-design principles to address this growing threat to consumer privacy and potentially physical security.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
