news

Connecting your phone to rental car infotainment system? There is a big, hidden privacy risk

Ford Motor Co.

Ford’s first all-electric SUV comes at a pivotal time for the automaker as it restructures operations and spends $11 billion by 2022 on EV and hybrid vehicles. It also comes with a 15-inch display screen.

  • Syncing your mobile device to a rental car's infotainment system is an often overlooked security risk that can be avoided, and car rental companies like Avis and Enterprise place the legal responsibility on the customer.
  • This seemingly innocuous act can expose a trove of sensitive information — like contact lists, voice and text messages, passwords, garage codes, GPS data, and medical and financial information.
  • 57% of people sync their smartphones to rental vehicles, and of these, less than half remember to delete their profiles and data before returning the car.

The recent data breach that exposed the sensitive information of some 300,000 Avis customers highlighted some critical vulnerabilities within the rental car industry.

Yet, there's another, often overlooked security risk when drivers use a rental car: the personal data you unknowingly leave behind when syncing your mobile device to a rental car's infotainment system.

According to privacy experts, this seemingly innocuous act can expose a trove of sensitive information — like contact lists, voice and text messages, passwords, garage codes, GPS data, and medical and financial information.

Cars are coming under greater scrutiny for data privacy issues as they become closer to computers on wheels, with more than 95% of the passenger cars sold likely to have embedded connectivity by 2030. It has reached the level of national security concern, with the Biden administration announcing this week it will seek to ban any connected cars coming into the U.S. market with Chinese hardware or software.

Many rental cars are already there, and the infotainment systems in these cars are like digital vaults that store your information every time you connect your phone, according to cybersecurity expert Andrea Amico, founder of Privacy4Cars — and it stays there until manually deleted — making it accessible to other renters, car rental employees, car manufacturers, and cybercriminals.

James Hajjar, chief product and risk officer at Hartford Steam Boiler, an insurer that specializes in emerging cybersecurity risks, said that few consumers are aware of this threat, and even fewer take steps to prevent it. According to Hajjar, 57% of people sync their smartphones to rental vehicles, and of these, less than half remember to delete their profiles and data before returning the car.

Failing to delete this information isn't just about privacy; it's about security. GPS data can act as breadcrumbs leading to your home, work, and other frequented locations, said Amico, adding that with enough data points, bad actors can map out your routines and even connect that data to social media accounts, creating detailed profiles ripe for exploitation.

"It would be very difficult to use this information to steal your identity, but it might be enough to identify who you are, identify where you've been. And that might be more than enough information to sell to somebody who is going to call and try to scam your grandma out of money by [saying] you were in an accident or you were arrested," said Clyde Williamson, senior product security architect at Protegrity. "That's a very common kind of attack that's happening to people. It's by far more common than stealing your identity and trying to open a credit card."

Privacy policies say the customer is responsible

Experts agree that car rental companies need to start implementing best practices to better protect customers.

"Just as companies vacuum the floor mats, there is no reason why they shouldn't vacuum the infotainment system, too," said Amico, suggesting that removing data from rental cars should be as routine as filling the gas tank or cleaning the interior.

John Price, CEO of cybersecurity firm SubRosa, emphasizes that rental companies have a duty to protect this information from unauthorized access because it falls under the framework of data-protection responsibilities expected of businesses handling personally identifiable information, or PII. Despite this, many rental companies lag in applying adequate protections.

The privacy policies posted online by Avis and Enterprise make clear that the onus remains on the customer, warning renters that if they choose to sync information or a device to the car (using Bluetooth, USB or otherwise), data from a device may be accessed and stored on the car's systems, such as the infotainment system. All of that information should be deleted by the renter at the end of the rental period, and the rental car companies state they are not responsible for any data left in the vehicle.

But most customers are unaware that syncing their mobile devices to these systems instantly grants permission to the companies to access their personal data. These policies are not always explicitly communicated during the rental process, leaving consumers to navigate the fine print of privacy policies they almost always never read.

"To put the burden on consumers is not right. When you read those car rental agreements, they say you leave the data in the car, it's your problem. You can't assign regulatory responsibility to the consumer," said Amico.

Yashin Manraj, CEO of Pvotal Technologies, said that while services like Android Auto and Apple CarPlay have significantly improved data protection, there is still a long way to go before consumers should feel fully safe syncing their data in rentals.

"In 2022 a grassroots movement pushed rental companies and manufacturers to go beyond the 'guest profile' to create temporary virtual environments where customers' data would be stored during use and immediately purged after the rental period. This would have been the fastest way to resolve all ongoing concerns. Unfortunately, this measure was quickly shelved and dismissed due to no legislative support or fiscal benefits to the manufacturers," said Manraj.

The lack of regulation in the rental car industry further exacerbates the privacy risks, and the amount of data rental car companies are capable of collecting has grown. "This alone should catalyze major overhauls of internal policies and customer communications practices. The scary part is that rental car companies may not know just how much customer data they are collecting, which means their risk management frameworks are likely incorrect," said Nicholas Reese, adjunct professor at NYU's Center for Global Affairs.

Experts highlighted several potential solutions that rental car companies should adopt to better protect customer info. The most obvious is automatic data deletion, or systems that automatically delete synced data when vehicles are returned. "Automatic data wiping between rentals should be a universal measure," said Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant.

In the least, "Customers should be warned of the risks of syncing their devices to rental cars and be prompted to un-sync when the rental is returned," said Paul Bischoff, consumer privacy advocate at Comparitech.

In addition, car manufacturers should install encryption protocols within infotainment systems to prevent unauthorized access to stored data and rental companies should educate customers on the risks of syncing their devices to rental vehicles and provide clear guidance on how to delete their data.

That could include having warning messages that go off once a smartphone is plugged into a car rental, telling the driver about data being stored, cached, or accessed, said Manraj. Temporary guest profiles that are deleted after the rental session ends could also significantly reduce the risk of residual data being left behind.

At the end of the day, said Williamson, it all boils down to one thing: "Don't plug your phone into a rental car unless you're sure it's worth the risk."

But if convenience overrules, experts recommend the following steps to safeguard your information:

Steps to take with data when returning a rental

Disconnect your phone from the car's Wi-Fi and Bluetooth settings. Open the car's infotainment system and navigate to the Bluetooth or Wi-Fi settings. Look for the list of paired devices and ensure you manually disconnect any that belong to you.

Erase navigation history. Go into the navigation settings on the car's system and clear out your location history. This removes any saved destinations, routes, or recent searches that could reveal personal information such as your home or work address.

Perform a factory reset on the infotainment system. If you want to ensure all your data is completely wiped, look for the option to perform a factory reset in the system settings. This will restore the infotainment system to its original state, removing any personal data or paired devices that may have been stored.

Copyright CNBC
Exit mobile version