This is the true story of when my personal life and my security research world collided. It’s also a love story, but it’s not really that mushy.

Let’s start with the love story. I used to have a great convertible car. It brought me joy to cruise around Austin, wind blowing through my thinning hair and The Black Keys on the radio. Then I had kids. I decided having a good roof over my kids’ heads is just as important in the car as it is in the house. I responsibly disclosed to my wife that I wasn’t happy about it, but I decided to be an adult and trade in my convertible. My lovely convertible went back to the dealership and I got a more kid-friendly model from the same manufacturer.

I’m a security researcher, so I’m skeptical of everything by nature. Before I brought the car to the dealership I deleted all my personal information from the car, reset the phone book, removed all connected devices and reset the garage door opener. When I got to the dealership, they took several steps as well. They made sure that all the keys issued to the car were turned back over.

I was happy to see that the dealership went through several of the same privacy precautions, like making sure my personal information was removed from the phone book. Luckily, my new car also had the same connected car management app for my mobile device. When I got home, I synced up my management app and I noticed that under the car inventory in the application, my old car was still listed. I didn’t think much of it — I figured there must be a process by which that car would be expired.

Over time, I began to realize that the car wasn’t going to expire. Days went by, then weeks, months and, eventually, years. It was obvious that whomever had purchased my old car had not enrolled it in the mobile app. This is where my curiosity kicked in — were manufacturers only designing Internet of Things (IoT) functionality for the first owner because that’s where their revenue comes from?