
What is your phone telling your rental car? - e15ctr0n
https://www.consumer.ftc.gov/blog/what-your-phone-telling-your-rental-car
======
heffer
With 185 rental days and counting this year I had my fair share of these kinds
of situations.

I made fully resetting all electronic systems in the car as much as possible
(which sometimes ends up being not at all) a ritual before returning cars.

Some cars offer a master reset (such as Ford with their SYNC system), some
don't (such as BMW's iDrive). Some cars can have their multimedia systems
reset but retain some information about the paired phones and some history as
fragments on their SD card (such as the Nissan Maxima, where the multimedia
system also malfunctions by forgetting all settings between power cycles if no
SD card is present, make sure you check before you pick one up).

But in 95% of cases people don't give a damn and I would get a car that has
all the previous customers' data in it. Phone logs, Navigation history,
sometimes even contacts and text messages. I think it's scary.

------
Hydraulix989
They really need to have a "rental car mode" in the infotainment center that
provides a good UX for not leaking user information.

I've seen TVs with a "kiosk mode" option that do things like disable channel
switching.

My most recent rental car (a Dodge Caravan) had a USB port on the center
console that mounted the phone as a USB drive for media playback.

~~~
thaw13579
At the very least, there should be a mode to charge via USB while disabling
the data pins at the hardware level

~~~
sithadmin
This is why I carry around a 'USB condom' (in particular, a PortaPow
FastCharge) for use whenever I want to charge from an untrusted USB port.

~~~
bbcbasic
That's a fantastic analogy

------
joeyrideout
This reminds me of the privacy concerns surrounding printers/copiers, which
can hold onto sensitive data after you or your organization are done using
them [1].

This also begs the question of how secure these "infotainment" systems are in
the first place. Physical access to individual cars' data histories is
relatively limited, but if these connected machines are remotely accessible
then the resulting attack surface might be scary.

[1] [https://www.ftc.gov/tips-advice/business-
center/guidance/cop...](https://www.ftc.gov/tips-advice/business-
center/guidance/copier-data-security-guide-businesses)

~~~
colejohnson66
> Physical access to individual cars' data histories is relatively limited,
> but if these connected machines are remotely accessible then the resulting
> attack surface might be scary.

Cars are already beginning to be connected to the internet. Just wait a few
years; they'll fall victim to the IoT epidemic soon enough.

~~~
maxerickson
Yeah, the Jeep hack last year ([https://www.wired.com/2015/07/hackers-
remotely-kill-jeep-hig...](https://www.wired.com/2015/07/hackers-remotely-
kill-jeep-highway/) ) got into the infotainment system over the cellular
network.

They've made the network side of the attack a lot harder than it used to be,
the vehicles are no longer visible to anyone with a Sprint cell phone.

------
zeta0134
I discovered this the first time I had to rent a car from my dealer. There
were about 12 other phones connected in, and my phone would have ended up with
all of their contacts if I hadn't thought to disable contact sharing.
(Fortunately the Mazda UI asks before doing that.)

I went through that list and un-paired every phone, and cleared out the
contacts list in the entertainment center. I also informed my dealer of the
issue, and I hope they are a bit more mindful of it going forward. Cars are
basically designed to only ever be used by one or two people at a time, so
this isn't a huge risk for most owners, but for rentals it's kind of a privacy
risk.

~~~
enobrev
I generally clear everyone out in a rental as well. I should start letting the
rental company know, thoug. That's a great idea.

Fortunately, Android asks if you want to sync contacts, to which I always
reply "No". It seems like that should be the default with an option to enable
specific cars.

------
fma
Should be more appropriately titled "What is your phone telling the next
rental car driver"

~~~
hackuser
... "and the rental car agency and everyone they share data with."

~~~
fma
TBH I doubt the rental car agency cares. They would rather not deal with it
since their business is renting cars. Any word that gets out that they even
use that data without your permission is going to be very bad press.

But on the other hand, for corporate espionage...if I know a certain company's
employees rent cars from a certain location...I'd be poking around.

~~~
hackuser
> They would rather not deal with it since their business is renting cars.

Every company's business is collecting data on their customers. It's very
widespread.

> Any word that gets out that they even use that data without your permission
> is going to be very bad press

I disagree. Word on such behavior gets out all the time and few people care.

------
Animats
Maybe doing charging through a data connector wasn't such a good idea after
all.

We need more dumb inductive charging. And no, the charger does not need a data
connection.

~~~
alonmower
Random thought: couldn't one start making charging cables that only had
power/ground pins present (but were still shaped like the apple/micro usb
connectors)?

~~~
Animats
Yes. They're called "Charge Only Hardware Firewalls", and they are way
overpriced.[1]

[1] [https://lockedusb.com/](https://lockedusb.com/)

~~~
johannes1234321
There are cheaper options than this, but mind: Those aren't completely trivial
devices. They have to negotiate to get more than 100mA(?) and for that
negotiation there are two protocols: Apple's and, I think, Samsung's, (which
is used by everybody in the Android world nowadays) And the negotiation has to
involve both, the supply and the device. Cheap devices sometimes only
negotiate with the device and then draw too much electricity out of the
supply, which can be damaging.

~~~
wtn
The non-Apple protocol is Qualcomm Quick Charge:
[https://www.qualcomm.com/products/snapdragon/quick-
charge](https://www.qualcomm.com/products/snapdragon/quick-charge)

~~~
johannes1234321
Thanks!

------
danepowell
When I pair my Android phone with a rental car via Bluetooth, the phone asks
permission to share contacts and messages with the car (of course I deny
them). Are folks saying that sensitive data is still shared in spite of this
access control? This seems like a problem with Android / iOS rather than the
car.

~~~
greenyoda
_" This seems like a problem with Android / iOS rather than the car."_

Or with the user who unthinkingly allows their phone to share contacts without
considering the possible ramifications.

Most users are accustomed to just saying "yes", like when an app asks them for
permissions, etc.

------
fwr
I never thought about it, but it would make a lot of sense that since both
Android and iOS ask for application permissions, the same would happen for a
Bluetooth session.

My guess is that it's not done because receivers were never supposed to handle
missing data for something that shows up in device capabilities.

------
jedateach
I had a similar situation using a replacement phone whilst mine got repaired.
A factory reset had been performed, but the Android OS still contained some
quite sensitive WhatsApp sent images, including personal photos and even a
credit card balance screenshot.

Businesses need to get more savvy in this area.

------
oDot
A dongle[0] can be connected to the car's aux port, giving a nice wireless
solution (and bypassing the phone's usually terrible amp)

[0]: [http://www.ebay.com/itm/Wireless-Bluetooth-V4-1-3-5mm-AUX-
Au...](http://www.ebay.com/itm/Wireless-Bluetooth-V4-1-3-5mm-AUX-Audio-Stereo-
Music-Home-Car-Receiver-Adapter-/281993125798)

------
paulsutter
I really want a setting for the phone to block all sharing with other systems.
No prompt "do you trust?", just a blanket setting that I dont want to trust
any system.

There's no longer any reason to tether the phone back to your Mac for backups
or updates, so why is the phone so eager to share data? All of that can be
accomplished with iCloud authentication.

------
dogma1138
Which is why I never sync my phone with it or use the onboard GPS.

I'm honestly surprised that leasing agencies have not implemented some sort of
a wipe procedure even if it's not a forensically secure wipe when a car is
returned.

That said I once picked up a car at the airport that had someone's passport
tucked into the overhead sun protector shade thingie.

------
nxzero
Given this is by the a US federal agency, it's interesting to me how the US
federal consumer protection agencies never look at how much data the federal,
state, local, etc. governments leak on the average person; for example,
federal citizen identifiers reused as consumer identifiers, that is SSN
numbers.

~~~
delinka
"Reuse" of SSNs is not a 'leak' of privacy by government. They're not the ones
giving SSNs to whomever asks.

~~~
mindslight
By creating a system whereby everybody can be assumed to have a certain unique
identifier, they put people in a situation where they can be made to divulge
that number of various private purposes.

For instance, if a drivers' license didn't have a unique number, then stores
couldn't be tempted to demand said number when processing a return.

It's akin to the difference between naive full disk encryption, and a true
steganographic filesystem.

------
yason
I have seen other people's trails on rental cars and I've always wondered why
would they connect their phones to basically what is an unknown system,
exposed to just about anyone.

Maybe I'm just weird. Never had any reason to connect my phone to the car, not
rental nor my own. I make phonecalls from my... well, phone, not the car. I
use my phone's Google Maps if I need to refresh my memory to get driving
instructions. I don't have music on my phone either. It seems that being a bit
ignorant to new technology does pay off at times.

------
taprun
My phone isn't telling my rental car anything. I turned bluetooth off.

~~~
nxzero
At the very least, it's telling them you turn off Bluetooth.

~~~
skafjvhs
Are you saying the car has a mechanism to catalogue different drivers without
bluetooth?

~~~
hackuser
Wifi MAC address or other identifier is one method.

~~~
bsilvereagle
I'm not sure why you're being downvoted, some 2015 Chevys have the option for
built-in wi-fi (4G LTE) making MAC tracking a legitimate concern. Granted, the
rental isn't getting contacts/texts/etc like this article is talking about,
but your rental could guess at the number of passengers or determine how long
you spend parked outside of Starbucks based on how long it sees Starbucks wi-
fi (assuming the vehicle doesn't have GPS), etc.

------
houssc
I've been doing these security steps every single time since rentals got
bluetooth. Every rental unless it's brand new has dozens of people's contacts
and other data in it.

------
eyelidlessness
Trying to load this page consistently crashes my Safari tab. Anyone else?

------
eximius
Hopefully nothing since I don't connect it via anything.

~~~
nullsocket
Exactly, why would I sync my anything to something that isn't mine? That's
like checking your bank account from a kiosk.. All the NOPEs.

------
andrewfromx
you humans are so funny. you think you still have privacy. that ended in 2008.

