Escar USA is one of the world's leading automotive cybersecurity conferences, bringing together researchers, engineers, and security professionals from across the automotive and transportation industries. The event covers the full spectrum of vehicle security challenges, from embedded systems and connected services to supply chain risk and regulatory compliance, making it a premier destination for anyone working at the intersection of security and mobility. 

Bishop Fox Senior Security Consultant, Sam Lauzon, will be presenting research on a topic that often goes overlooked in automotive security conversations: what happens to the personal data stored in a vehicle after it leaves the original owner's hands. His talk draws on empirical case studies of used infotainment systems spanning a decade of model years and multiple manufacturers, offering a grounded look at how personal data persists through ownership and control transitions and what that exposure looks like in practice. 

If you work in automotive security, product security, or privacy engineering, or if your organization manufactures, sells, or services connected vehicles, this research has direct implications for how your products handle data across their full lifecycle. 

Learn more here: https://escar.info/escar-usa

"Persistent Personal Data Exposure Across Vehicle Ownership and Control Transitions"

Speaker: Sam Lauzon, Senior Security Consultant I, Bishop Fox

Date/Time: May 20, 2026 | 4:00-4:25pm ET

Location: Lucerna Cinema - AUX

Abstract: Modern vehicles routinely ingest, generate, and store personal data to support infotainment, navigation, and connected services. While these data enable valuable in-vehicle functionality, they may persist beyond authorized use and become accessible when a vehicle changes hands or control is lost. We study the extent and implications of persistent personal data exposure across vehicle ownership and control transitions under a realistic threat model in which an adversary acquires vehicles or electronic modules through legitimate secondary-market channels and applies commodity forensic tools.

Through empirical case studies of used infotainment systems (2011–2021 model years across multiple manufacturers), we demonstrate practical extraction paths, including removable hard-drive imaging, exploitation of exposed interfaces in Android-based systems, and hardware level extraction from embedded flash storage. We also report field evidence from a used car lot: among 38 vehicles inspected without specialized tools, only 3 (7.9%) contained no visible personal data, and all 9 vehicles with built-in navigation retained prior navigation history. We characterize the exposed data and associated harms, and show how AI-enabled analysis can amplify misuse by lowering the effort required to infer sensitive attributes and generate convincing targeted content. Our findings indicate a systemic lifecycle failure in current vehicle data management practices and motivate the need for verifiable, robust mechanisms to manage and remove personal data across ownership and control transitions.