If you bought a used convertible sports car in New York about four years ago, you might want to take it back to the dealership to have it remove the previous owners’ access. There’s a chance it belonged to Charles Henderson, Global Head of IBM’s X-Force Red. He traded in the convertible for something more child-friendly, but when he went to use the new car’s app, he realized the convertible was also showing up. “I actually still have access to that car today,” he told Digital Trends. “I can unlock the doors.”
Henderson did a factory reset on the car before he turned it into the dealership, but it didn’t revoke his access. It’s likely the new owner has no idea someone else has access, nor could they block Henderson without the dealer’s help. Though he calls it an industry-wide problem, it’s not just an issue for cars. Many smart-home devices have the same flaw, Henderson said. “They have all these great onboarding tools to get that first owner in, but there’s nothing to get the first owner out and the second owner in,” he said. “They’re not really concerned with the second owner who needs the first owner evicted.”
Charles Henderson can still unlock a car he sold four years ago, via an app.
Let’s say you buy a second-hand smart lock. You perform a factory reset and assume you’re the only one who has access. You fire up the app, connect the lock, and set up a profile. Chances are, you won’t have a screen that shows you who else has access. Even if you do, you’ll still probably have to call the manufacturer to have them remove the former owner.
That’s what happened to Henderson’s researcher, who bought a second-hand smart hub. Though he saw an unfamiliar phone still attached to the hub, he had to call the device maker to have them remove it. The person on the helpline first suggested the researcher do a factory reset — something he’s already tired twice. “They didn’t even know that it doesn’t remove the user,” said Henderson.
The problem becomes even more complicated when you start talking about selling smart homes, houses with tons of devices that used to belong to someone else. Chad Curry, Managing Director at National Association of Realtors’ Center for Realtor Technology, told Digital Trends that a realtor had a home buyer contact her because the smart thermostat that came with the house kept adjusting itself. It turned out the old owner was trying to adjust their new thermostat but was still linked to the old device.
In response, the NAR has decided to work with the Online Trust Alliance to create a Smart Home Checklist that walks realtors, sellers, and buyers through the transfer of smart devices. The idea is to get realtors to ask the right questions of homeowners to identify any smart devices, such as, “Is there anything that will remain with the home that is connected to the home that is not a router or modem?”
The NAR is also working on an app that expands on the Smart Home Checklist. If the seller has a smart lock, the app would help find all the other devices associated with that lock, so the buyer would have a list of smart things to reset and revoke access from.
While many people are familiar with what a Nest smart thermostat looks like, not everything is as recognizable. “A smart light switch, it looks like a light switch,” said Henderson. “There’s nothing on it that screams, ‘This is a smart light switch.’” The app would also help home buyers tell if that new keypad lock is smart or just sophisticated.
But while identification is the obvious first step, there’s no clear second step.
“There’s no consistency across the industry with how access is revoked,” said Henderson. When realtors do get a list of devices, “We tend to point people to the websites for the manufacturers when we come across specific devices,” said Curry.
Some devices do have built-in protections, but it often takes more than a factory reset or a user unlinking the device from their account. A factory reset on a Wink Hub 2, for example, wipes the data, while a user removing it from their app unlinks from the account, but all the devices connected to the hub remain in its database, though without the user information. “If a Wink Hub was not removed by a previous owner from their account, the new owner wouldn’t be able to connect it to theirs, hence they’d never be able to see the previous owner’s devices or user profile,” Patrick Mahoney, the company’s communications director, told us.
To make things easier for users, and to ensure that they know whether a previous owner has access, Henderson suggests IoT and smart-home device manufacturers look to the mobile phone industry, which instituted a standard for what device reset means. That helped people feel secure selling their old phones without worrying the new owner would have access to their photos and contacts.
The smart-home industry isn’t there yet, said Henderson. “Right now we just sort of hope for the best and wish consumers luck when it comes to removing data or removing access.”