Rental Car Cyber Risks
Should you connect your device?
The holidays are upon us again, and in addition to the need for pants with elastic waistbands and extra boxes of tissues for all the Hallmark movies, the holidays often present the need for travel. Yes, folks, that means planes, trains, and of course, automobiles. So, what does that have to do with cybersecurity? Well, a lot! Cybersecurity concerns related to travel provide enough material to write for weeks, so I am going to limit the subject of this article to privacy risks related to rental cars. The question I will address is, should you connect your devices to a rental car? Well, that depends.
If you have read my previous writings, you know I spent a couple of decades as a police officer, and that for a significant portion of time I was a digital forensics analyst. During my time in digital forensics, I had the opportunity to perform multiple forensic examinations of In-Vehicle Infotainment systems, or just IVI systems. By the time I learned about IVI forensics I had been a police officer in a major metropolitan area for more than 15 years and there wasn’t much that surprised me. When I saw firsthand the amount of information captured by these systems though, I was floored. Information like location data, speed of travel, rates of acceleration and deceleration, when doors open and close, and when doors lock and unlock, was all available in the data extracted from these systems. Perhaps more concerning though were records of call logs, text messages, contact lists, and even voicemails and pictures that were captured by the IVI system when a phone or tablet was connected to the vehicle, either with a USB cable or over Bluetooth.
Won’t the rental car company wipe my information from the car when I return it though? Nope! Not necessarily, at least.
What’s in there?
It can be very easy to forget about all the things that we have connected to our smartphones. Is your business email account, a messaging service like MS Teams or Slack, or any other sources of potentially sensitive data connected to your phone? If the answer is yes, and you connect your phone to that car, then the car is likely to have some of that sensitive data stored in the IVI. For any frequent car renters reading this article, think about how many times you have rented a car and seen data from a previous renter stored in the IVI system. I’d be willing to bet it’s been more than once. Maybe you didn’t look through it, but if you see “Cindy Lou’s iPhone 8” or “Ralphie’s Galaxy Note 9” in the list of devices, there is data there, my friend.
I’m very careful!
What if you are extremely diligent though? What if you have an actual checklist of things that you follow religiously before returning a rental vehicle, and one of the items on that list is to remove your data from the car? Well, that’s certainly better than doing nothing, but it’s up to you whether you want to put your faith in that process. Think about the last time you were on a long business trip. I know, with the pandemic and all, maybe it’s been a while, but think about all the calls, text messages, Tweets, and other notifications you received on your phone and through the IVI system if you connected to it. It was probably a lot if you did any significant driving! Now, I’m sure that you took the time to go through the menu and choose the option to remove your data from the vehicle before returning it, right? How long did that process take? Probably just a few seconds. Maybe you didn’t have much data stored in the IVI system, or maybe the operating system didn’t actually remove the data, but only removed the pointers that tell the IVI operating system where the data is stored on the hard drive. That makes for a great user experience that seems very fast and convenient, but your data is still there, just waiting for someone like me, with some knowledge, a bunch of purpose-built circuit boards, and a few nylon pry tools and a socket set to come along and copy all that information about you and all your contacts off the IVI system hard drive.
Some mobile device manufacturers have started adding some protection for all of this into mobile operating systems. Some devices will ask you if you want to share contacts, calls, text messages, etc. with the IVI system. If you choose not to share that data with the vehicle, the device’s operating system should prevent that data from being shared. For devices running older operating systems though, those protections may not be available. Some devices may be configured to automatically connect, although that is becoming less common as device manufacturers build in protections. Even with these protections in place, it is far too easy to inadvertently choose to share data, especially if you are tired from a long flight or train ride, or you are distracted by things like calls, emails, and the inevitable schedule changes that you may be catching up on while getting settled in for your drive.
What should you do?
So, if connecting your devices to the car poses so much risk, what should you do? As with any other kind of risk, do a quick assessment and decide if you want to accept, mitigate, or avoid it. Depending on your individual risk , here are some things you can do:
- Accept the risk
- Go ahead and connect and enjoy all the conveniences and wonders of modern technology! Make sure you know how to remove your device and associated data from the vehicle IVI system when you are done using the car though.
- Mitigate the risk
- Not all USB ports in the car are necessarily going to be data ports. Some of them, especially in the back seat, might only be power ports. Use these instead if you only need a power source for your device.
- For extra protection, use a data blocker, like these little red beauties in the picture. They allow you to connect your charging cable to a data USB port, but the data wires in the data blocker are not connected, only the power wires are, so they prevent any data transfer.
- If you really want to be careful, but you still need a power source, some cars now have regular power outlets, like the ones in your house, or you can purchase a power inverter that plugs into that old-school cigarette lighter port. Then you just use a regular power source as you would at home, and voila, no data transfer.
- Avoid the Risk
- Lastly, you can practice risk avoidance. This, of course, is probably the most secure option. Just don’t connect your phone to the car at all. That means no charging cable and no Bluetooth connection. No, you won’t be able to stream your Spotify or Pandora playlist over the vehicle audio system, but you can use the speaker on your phone. I know, it doesn’t sound as good, but a pro tip, if you put your phone in the cup holder while playing music, it makes it a bit louder. If you choose this option you can also use a dedicated hands-free headset for taking any necessary calls. Or just disconnect for a while! Who knows, maybe you’ll see a bunch of reindeer dragging some fat guy in a sled across the horizon.
From all of us here at Reveal Risk, happy holidays, and safe and secure travels, everyone!