Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation Cellphones Privacy Security

FTC Warns Consumers: Don't Sync To Your Rental Car! (securityledger.com) 67

Slashdot reader chicksdaddy quotes an article from Security Ledger: The Federal Trade Commission is warning consumers to beware of new 'connected car' features that allow rental car customers to connect their mobile phone or other devices to in-vehicle infotainment systems. "If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages," the FTC said in an advisory released on Tuesday. "Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers."

The Commission is advising renters to avoid syncing their mobile phones to their rental car, or to power devices via a USB port, where settings on your device may allow automatic syncing of data. Consumers who do connect their device should scrutinize any requests for permissions.

Security researchers have also discovered another car-related vulnerability. The software connecting smartphones to in-vehicle "infotainment" systems could also make cars vulnerable to remote attacks.
This discussion has been archived. No new comments can be posted.

FTC Warns Consumers: Don't Sync To Your Rental Car!

Comments Filter:
  • Well duh. (Score:5, Insightful)

    by nitehawk214 ( 222219 ) on Sunday September 04, 2016 @10:36AM (#52824665)

    Don't sync your devices to untrusted devices. Same as don't stick an unknown usb drive into your computer.

    Though this warning is useful since most normal users may not be aware of the security risk. The ignorance of security is the same ignorance that will cause people to ignore this warning, naturally.

    • by Anonymous Coward
      Why would anyone want to sync their mobile number and contacts to their car, anyway? What possible upside is there?
      • by Anonymous Coward
        Not sure if yours is a serious question or not - but it is simple. This is to enable hands-free calling. For people who want to make and receive calls while in the car driving, this is the only legal way to do it in many areas. Although to be fair, on my way to and from work every day I see likely 10 to 12 idiots with a phone up to their ear breaking the law. I've had occasion to be on the phone in my car - how hard is it to set the thing on the seat next to you and have the speaker phone mode on? Instead,
    • Same as don't stick an unknown usb drive into your computer.

      Or, more generally: Don't stick an outie part into an innie part if either is unknown.

    • by judoguy ( 534886 )
      As a software developer I always seek to uncover the fundamental underlying rules from the requirements so... "Don't stick important thingie into untrusted, but attractive thingie."

      Same advice my father gave me.

    • Sounds like a job for USB Condom! http://int3.cc/products/usbcon... [int3.cc]
    • I rented a car that had somebodies previous data still stored in the "radio." But it got me thinking- all I wanted to do was play my music. However, there was no obvious option (in this car) to simply allow music to play (via bluetooth). The "radio" demanded that I sync everything.

      A different car that I rented allowed me to play music- only when using the USB interface - which worked well and had the added benefit of charging my battery (which is how I discovered this work around). Even this car's bluet

    • don't stick an unknown usb drive into your computer.

      Don't even charge your phone using a rented USB port. In fact, never charge your phone on any data USB port, not even from your own computer. Use a wall power charger. Why risk the integrity of your trusted home computer by plugging in an uncontrolled device like the modern mobile phone?

      This is just basic security.

      • Android phones can be set to charge only. though the communication USB port on cars will only provide 500 milliamps max. (the one in my Acura must be significantly worse, the phone would drain the battery if I am using it for GPS, even with the screen off)

        Dedicated power chargers will provide the full 2.1 amps to charge the phone very fast, even when it is in use. Safer and more effective, what's not to like. Just keep an extra wall charger and 12v charger in your car.

  • Most vehicles have the option to not sync your contacts, but still connect via Bluetooth for hands free driving.

    If you do sync your contacts, there is normally a fairly easy way to remove the data. I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

    • Re:Don't Sync (Score:5, Insightful)

      by plover ( 150551 ) on Sunday September 04, 2016 @10:44AM (#52824689) Homepage Journal

      I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

      +1, funny!

      Oh, wait, you were serious? You're lucky if a rental company runs a vacuum cleaner over the floors before they turn the car over to the next renter. Cleaning data would be like so far down the list of stuff they do that "never" comes before it.

      • by OzPeter ( 195038 )

        I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

        +1, funny!

        Oh, wait, you were serious? You're lucky if a rental company runs a vacuum cleaner over the floors before they turn the car over to the next renter. Cleaning data would be like so far down the list of stuff they do that "never" comes before it.

        Too right. I once rented a car from Hertz that came with their branded GPS system (which I didn't need because I had my own system). Every time I started that car the Hertz GPS would flash up a message "Welcome [name of previous renter]" and showed me where she had been on all of her trips. I'm sure if I dug down I would have been able to find lots more information about here. As it was I spent my time trying to figure out how to keep the damn thing turned off as it was a distraction that I didn't want.

      • by Zocalo ( 252965 )
        As someone who frequently uses hire cars, I can absolutely back this up with experience. I have *never* seen any sign that a rental agency has wiped data captured from previous renters; where applicable there has almost always been previous satnav destinations, playlists, media files, and other details saved on the in-car system. Ideally, the only thing you want to connect your phone to in a rental is a USB charging cable plugged into the cigarette lighter, but failing that at least make sure that you hav
    • by fgouget ( 925644 )

      I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

      Given that they don't seem to check tire pressure or verify wiper fluid level (both of which impact safety), I think expecting them to reset the infotainment system is pretty unrealistic.

  • by Anonymous Coward

    This isn't your data to begin with. Information stored about you (such as texts, phone numbers, call logs) are bits on a storage device owned by the service provider.

    All this NSA / Snowden leak info should tell people they don't own the data that is about them. If you connect to a rental car, all your doing is syncing one company's data with another, none of which is yours.

  • Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

    Thousands of car rental employees mining car entertainment systems for data seems like an awfully inefficient way for hackers to harvest data when it's far easier to do the same thing by releasing a trojan horse app to collect the data.

    • by OzPeter ( 195038 ) on Sunday September 04, 2016 @10:56AM (#52824727)

      Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

      Who says it will be the rental company employees doing the mining?

      If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

      • You seem to be intelligent, know your subject and write good arguments.
        Could I kindly ask you to leave Slashdot?

      • by hawguy ( 1600213 )

        Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

        Who says it will be the rental company employees doing the mining?

        If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

        Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

        I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

        • by OzPeter ( 195038 )

          Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

          I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

          Considering that CEO fraud amounts are in the hundreds of millions annually, $125 a day for a car is peanuts.

          And why would you need to change false IDs all the time? Do you really think that a victim is going to say 6 months down the road "Hmm .. my contact information got skimmed somewhere .. I bet it was that rental car I used 6 months ago was where I leaked. I better get the cops to investigate every other person who rented that same car after me." By that time the money is long gone.

  • by Anonymous Coward

    So I suppose that you should wipe all data from your own car when you take it in for servicing. This might keep the mechanics and other service personal from accessing your phone records, trip logs and so forth, although the car company itself probably has all of that info already from over the air.

  • "Unless you delete that data before you return the car, other people may view it, including hackers, rental car employees or even future renters."

    There, fixed that. It would be fun to see this in Mr. Robot, the least (but not without) face-palming I have ever had to do when it comes to the fictional portrayal of "hackers".
  • ... has designed a device that will automatically sync data without authenticating the peer first? I mean other than the ones that were leaned on by the NSA to make surveillance by law enforcement easy.

  • by ErichTheRed ( 39327 ) on Sunday September 04, 2016 @12:58PM (#52825109)

    Lots of techies forget that 99% of the population does not care about the how it works when it comes to technology -- they care about whether it works and is easy to figure out. Phone operating systems don't even have the concept of user-accessible storage and filesystems. Of course it's all there under the hood, but it's abstracted away. All data is stored in an app-specific data store in the cloud as far as users are concerned.

    Warnings like this and the "check what's in the address bar before you hand over your password" type of message need to be given. Few will listen, but putting it out there doesn't hurt. We now have what was asked for in the past -- end user systems that have almost no complexity and learning curve. It makes sense that newer generations growing up with this aren't used to files, filesystems, the concept of stored data and so on.

    • You generally have to be at least 25 years old to rent a car. I'm 27... my elementary school had a lab of Apple IIs and System 7 Macs. The first computer I owned ran Windows 95. After using these systems the concept of a file, and data storage, aren't foreign. By the time the iPhone was released I had already graduated high school. It's a knowledge thing, not a generation thing.
  • FUD (Score:4, Insightful)

    by speedlaw ( 878924 ) on Sunday September 04, 2016 @09:11PM (#52827093) Homepage
    This is silly. Every rental/loaner I've ever had has already five phones paired. I delete everything, and pair mine. When the car goes back I make sure I"ve deleted my profile as well. If you can read slashdot, you can figure this out, be it iDrive, Sync, CUE or AcuraLink. I'd be more concerned with leaving addresses in the satnav...but I blank those too.
  • WTF?

    So "hackers" is the new "criminals who use some kind of technology"? Or just "who use stuff I don't have no clue whatsoever but insist in using regardless?"

    Seriously, I really, really, really wish you could kill people with a computer remotely. Only then we have at least a minimal chance to get people to actually know what they're doing with their boxes, and some idiots wouldn't be allowed near one because they'd endanger themselves and others.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...