How I Became a Repo Man for a Day

by micah

In the summer of 2024, I became a repo man for a day.  I legally recovered a vehicle without any confrontation or repercussions.

I've been a hacker since I was a kid and a security professional and software developer since the 1990s.  While my full-time work is more oriented towards software development these days, I still occasionally do security consulting.

I was approached with an interesting problem: the co-owner of a vehicle wanted to remove his name from the title after his boyfriend broke up with him very suddenly.  Throughout the rest of this article, I will refer to my client as The Client and his ex-boyfriend as The Adversary.

The Client's mom had gifted the two of them a car, a 2019 Tesla Model 3, registered in the state of New York.  Both The Client and The Adversary were on the title and registration.  However, the insurance was in The Client's name with The Adversary listed as an additional driver.  This is relevant because in New York State if you remove the insurance from a vehicle that is still registered, the Department of Motor Vehicles will start fining you and will eventually suspend your license.  The Client attempted to contact The Adversary a number of times, both on the phone, via text message, email, and ultimately certified snail mail.  In all cases, The Adversary did not respond.  The Client was effectively ghosted.

The Client was willing to let The Adversary take sole ownership of the car.  He merely wanted The Adversary to get his own insurance and a new title and registration so that The Client could cancel his own insurance.

This is where I came in.

The Client asked if it would be possible to "do something" to the car to force The Adversary to the table.  The Adversary had not removed The Client's access to the Tesla Mobile App.  The Client still had the "phone key" feature enabled, meaning that if he walked up to the car, the doors would automatically unlock.  The Client was still a rightful co-owner of the car.  In fact, The Client was in possession of the original title certificate for the car.  The car, however, was parked on the property of The Adversary's father.

We reviewed a number of options I'll put in a bucket called Plan A.  We could remove The Adversary from the mobile app as an authorized driver and remotely disable the car.  We could then use this as leverage to get The Adversary to "come to the table" to get his own insurance and registration.  The Client would offer to sign the title over to The Adversary.  While this would alleviate any sort of trespass on The Adversary's father's property, it was unethical and likely illegal as The Adversary was still a co-owner of the car.

So, we discarded Plan A.

This is where the "chaotic neutral" mindset comes into play.  In case, you're not familiar with Dungeons & Dragons, each player in the game creates a character and that character has an "alignment."  This is usually represented as a 3x3 grid with lawful, neutral, and chaotic on one axis and good, neutral, and evil on another axis.  In Dungeons & Dragons and in life, I am a "chaotic neutral."  I do abide by laws, but I am not above bending them.  And, my mind has a tendency toward chaos.  This can get in my way sometimes, but it's perfect for the "thinking outside the box" mentality that's useful in complex situations.  I kept having the intrusive thought, "What if The Client was the sole owner of the vehicle?"  Well, in that case, it would be legal to disable the car remotely no matter where it was physically located.  The ethics of doing so might be a little murky (thus the "neutral" versus pure "good").  But of course, that wasn't possible, was it?

It was time to do some research - the less sexy side of security consulting.  I took to the Internet and in short order found a page on the New York State Department of Motor Vehicles website called "Register a Vehicle With More Than One Owner or Registrant" (dmv.ny.gov/registration/register-a-vehicle-with-more-than-one-owner-or-registrant).  On this page is a section titled, "Transfer Ownership."  The first sentence reads: "More than one person can own a vehicle, but to transfer ownership, only one of the owners is required to sign the title certificate."

This seemed too good to be true.  I contacted a friend who is a lawyer in New York State, although his specialty is estate planning.  He didn't think it was possible that one of the owners could sign away the property when there was another owner on the vehicle's title as well.  We both contacted a friend of his who is a traffic violations attorney.  Eventually, I confirmed what I read on the website to be true.  Plan B was hatched.

Plan B involved a number of moving parts.  Part one was getting sole ownership of the vehicle.  I would meet The Client at the Department of Motor Vehicles along with his mother.  He would sign the title for the car over to his mother.  In advance of that, I would help set up insurance on the vehicle in his mother's name.  All you need is a Vehicle Identification Number (VIN) to purchase insurance for a vehicle.  We would then register the vehicle in The Client's mother's name and order a new title.  She would be the sole owner of the vehicle at that point.  Part 2 was to disable the vehicle and let The Adversary know that he no longer owned the vehicle at all.  He could either meet with The Client and me to discuss signing the vehicle back over to him and giving us the old plates or we would take steps to recover the vehicle (and the plates on it) through legal channels.  This was necessary, as we still needed to get the old plates turned in before The Client could cancel his insurance.

I traveled to New York, and we completed Part 1 just before the closing time at the Department of Motor Vehicles offices.  I was greatly relieved, as I was still not convinced that having one owner sign over a vehicle title with two names on it would work.  I prepared to notify The Adversary that he was no longer an owner of the vehicle.  Given his lack of responsiveness, I asked The Client for access to his phone so that we could see the location of the vehicle.  It was not at the address I knew to be The Adversary's father's.  The Client identified it as The Adversary's brother's house.  Using the mobile app, I activated the external cameras on the car and was able to determine that it was parked on the street.  I said to The Client, "I think I'll be a repo man for a day."  Cue chaotic neutral!

I made a few calls to validate my thinking.  I had new plates and a new registration for the vehicle.  The vehicle was insured.  Street parking is public property, so I wasn't in danger of trespassing.  Given all that, my question to a number of lawyers was, "Can I legally go and take this car?"  The unanimous answer was "yes."  It was almost an absurd question.  Imagine you lent a friend your car.  This friend told you they parked it on the street in a residential neighborhood and gave you the address.  You wouldn't think twice about walking up to your car, unlocking it, getting in, and driving away.  This was the exact situation The Client and I suddenly found ourselves in - with the permission of his mother, now the sole owner of the car.

Part 2 of Plan B quickly became Plan C.  The Client would drive me near to where the car was parked early in the morning, knowing that The Adversary had a tendency to sleep in late.  Just prior to this, I would remove all access to the Tesla Mobile App from The Adversary, effectively locking out their control of the vehicle.  I would go to the end of the block and use a feature of Tesla cars called "Summon."  I could have the car drive itself over to me.  I was eager to avoid any sort of interaction with The Adversary.  The Client dropped me off and waited a block away with my phone.  I had The Client's phone.  I opened up the Tesla Mobile App and went to the Summon feature.  The screen showed an error message saying that Summon was temporarily unavailable as there was a fault with the 12-volt backup battery.  Shoot!  This was the first snag we hit!  I decided to walk the 30 yards over to the vehicle.  This risked an irate Adversary coming out of the house and confronting me.  As I approached the vehicle, I used the app to unlock the doors.  I got into the vehicle, put it into drive, and silently (thank you, electric vehicles!) drove away.

I drove about a mile away and rendezvoused with The Client.  There, I switched the plates and put the new insurance card in the glove compartment.  Tesla uses NFC cards for physical keys.  These can be removed using the car's main screen interface.  I removed The Adversary's physical key access to the car.  We drove to a mutual friend's house about 30 miles away where The Adversary had never been.

The final chapter of this engagement was easy.  The Client turned in the old plates to the DMV and got the documentation to send to the insurance company, allowing him to remove the old insurance policy that included The Adversary.

As a cybersecurity professional, this was an unusual assignment.  And yet, it drew on all the same skills I would use in hacking on computer systems: reconnaissance, research, consulting other professionals, planning, executing the plan, pivoting in real-time, and thoroughly documenting everything I'd done.

At one point, I asked a lawyer, "What if he [The Adversary] wakes up, sees the car is gone, and calls the police to report it stolen?"  The lawyer told me the police would make a report, but once the registration was looked up, it would come back as invalid since the car's title and registration had been changed.  Even so, I thought that as part of my due diligence and in service of complete work, I should notify The Adversary.  I sent a certified letter letting him know all that had transpired and that I'd recovered The Client's property.  Repo man for a day!

I will confess that at the moment of having to walk up to the car and drive it away, my heart was pounding.  A day is more than enough for me to be a repo man.  I don't intend to repeat it.

It's a little mind-boggling to me how this all played out.  If The Adversary had simply engaged in a conversation with The Client, he would have walked away with a car still valued at around $20,000, even with 87,000 miles on it.  Also, at any time after the breakup, The Adversary could have locked The Client out of having any access to the car.  That would not have been technically legal, but it would have made it much harder for The Client to get what he wanted - which, remember, was simply being removed from the title and registration.

The moral of the story is that if you're going to be a dick, you better have really good OPSEC.  Or, better yet - don't be a dick.