The latest data breach that exposed the sensitive information of some 300,000 Avis customers highlighted some key vulnerabilities within the rental car industry.
Yet, there’s another, often overlooked security risk when drivers use a rental car: the deprecating data you unknowingly leave behind when syncing your mobile device to a rental car’s infotainment system.
According to retreat experts, this seemingly innocuous act can expose a trove of sensitive information — like contact lists, voice and reader messages, passwords, garage codes, GPS data, and medical and financial information.
Cars are coming under greater examination for data privacy issues as they become closer to computers on wheels, with more than 95% of the traveller cars sold likely to have embedded connectivity by 2030. It has reached the level of national security concern, with the Biden application announcing this week it will seek to ban any connected cars coming into the U.S. market with Chinese armaments or software.
Many rental cars are already there, and the infotainment systems in these cars are like digital vaults that hold your information every time you connect your phone, according to cybersecurity expert Andrea Amico, establisher of Privacy4Cars — and it stays there until manually deleted — making it accessible to other renters, car rental workers, car manufacturers, and cybercriminals.
James Hajjar, chief product and risk officer at Hartford Steam Boiler, an insurer that specializes in emerging cybersecurity chances, said that few consumers are aware of this threat, and even fewer take steps to prevent it. According to Hajjar, 57% of people sync their smartphones to rental carriers, and of these, less than half remember to delete their profiles and data before returning the car.
Failing to eradicate this information isn’t just about privacy; it’s about security. GPS data can act as breadcrumbs leading to your home, knead, and other frequented locations, said Amico, adding that with enough data points, bad actors can map out your shticks and even connect that data to social media accounts, creating detailed profiles ripe for exploitation.
“It hand down be very difficult to use this information to steal your identity, but it might be enough to identify who you are, identify where you’ve been. And that energy be more than enough information to sell to somebody who is going to call and try to scam your grandma out of money by [declaring] you were in an accident or you were arrested,” said Clyde Williamson, senior product security architect at Protegrity. “That’s a completely common kind of attack that’s happening to people. It’s by far more common than stealing your identity and maddening to open a credit card.”
Privacy policies say the customer is responsible
Experts agree that car rental companies dearth to start implementing best practices to better protect customers.
“Just as companies vacuum the floor mats, there is no persuade why they shouldn’t vacuum the infotainment system, too,” said Amico, suggesting that removing data from rental jalopies should be as routine as filling the gas tank or cleaning the interior.
John Price, CEO of cybersecurity firm SubRosa, emphasizes that rental public limited companies have a duty to protect this information from unauthorized access because it falls under the framework of data-protection accountabilities expected of businesses handling personally identifiable information, or PII. Despite this, many rental companies lag in applying so so protections.
The privacy policies posted online by Avis and Enterprise make clear that the onus remains on the character, warning renters that if they choose to sync information or a device to the car (using Bluetooth, USB or otherwise), data from a heraldic bearing may be accessed and stored on the car’s systems, such as the infotainment system. All of that information should be deleted by the renter at the end of the rental days, and the rental car companies state they are not responsible for any data left in the vehicle.
But most customers are unaware that syncing their plastic devices to these systems instantly grants permission to the companies to access their personal data. These customs are not always explicitly communicated during the rental process, leaving consumers to navigate the fine print of privacy programmes they almost always never read.
“To put the burden on consumers is not right. When you read those car rental concordats, they say you leave the data in the car, it’s your problem. You can’t assign regulatory responsibility to the consumer,” said Amico.
Yashin Manraj, CEO of Pvotal Technologies, suggested that while services like Android Auto and Apple CarPlay have significantly improved data preservation, there is still a long way to go before consumers should feel fully safe syncing their data in rentals.
“In 2022 a grassroots advance pushed rental companies and manufacturers to go beyond the ‘guest profile’ to create temporary virtual environments where purchasers’ data would be stored during use and immediately purged after the rental period. This would have been the speediest way to resolve all ongoing concerns. Unfortunately, this measure was quickly shelved and dismissed due to no legislative support or fiscal aids to the manufacturers,” said Manraj.
The lack of regulation in the rental car industry further exacerbates the privacy risks, and the amount of figures rental car companies are capable of collecting has grown. “This alone should catalyze major overhauls of internal schemes and customer communications practices. The scary part is that rental car companies may not know just how much customer evidence they are collecting, which means their risk management frameworks are likely incorrect,” said Nicholas Reese, adjunct professor at NYU’s Center for Far-reaching Affairs.
Experts highlighted several potential solutions that rental car companies should adopt to better safeguard customer info. The most obvious is automatic data deletion, or systems that automatically delete synced matter when vehicles are returned. “Automatic data wiping between rentals should be a universal measure,” said Lorri Janssen-Anessi, governor of external cyber assessments at BlueVoyant.
In the least, “Customers should be warned of the risks of syncing their devices to rental motor cars and be prompted to un-sync when the rental is returned,” said Paul Bischoff, consumer privacy advocate at Comparitech.
In in, car manufacturers should install encryption protocols within infotainment systems to prevent unauthorized access to stored details and rental companies should educate customers on the risks of syncing their devices to rental vehicles and provide explicit guidance on how to delete their data.
That could include having warning messages that go off once a smartphone is blocked into a car rental, telling the driver about data being stored, cached, or accessed, said Manraj. Ephemeral guest profiles that are deleted after the rental session ends could also significantly reduce the peril of residual data being left behind.
At the end of the day, said Williamson, it all boils down to one thing: “Don’t plug your phone into a rental car unless you’re stable it’s worth the risk.”
But if convenience overrules, experts recommend the following steps to safeguard your information:
Steps to perceive with data when returning a rental
Disconnect your phone from the car’s Wi-Fi and Bluetooth settings. Manifest the car’s infotainment system and navigate to the Bluetooth or Wi-Fi settings. Look for the list of paired devices and ensure you manually detach any that belong to you.
Erase navigation history. Go into the navigation settings on the car’s system and clear out your location antiquity. This removes any saved destinations, routes, or recent searches that could reveal personal information such as your expert in or work address.
Perform a factory reset on the infotainment system. If you want to ensure all your data is completely wiped, look for the choice to perform a factory reset in the system settings. This will restore the infotainment system to its original state, deposing any personal data or paired devices that may have been stored.