FTC Warns Consumers: Don't Sync To Your Rental Car!

Slashdot reader chicksdaddy quotes an article from Security Ledger: The Federal Trade Commission is warning consumers to beware of new 'connected car' features that allow rental car customers to connect their mobile phone or other devices to in-vehicle infotainment systems. "If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages," the FTC said in an advisory released on Tuesday. "Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers."

The Commission is advising renters to avoid syncing their mobile phones to their rental car, or to power devices via a USB port, where settings on your device may allow automatic syncing of data. Consumers who do connect their device should scrutinize any requests for permissions.
Security researchers have also discovered another car-related vulnerability. The software connecting smartphones to in-vehicle "infotainment" systems could also make cars vulnerable to remote attacks.

Well duh.

[nitehawk214]

Don't sync your devices to untrusted devices. Same as don't stick an unknown usb drive into your computer.

Though this warning is useful since most normal users may not be aware of the security risk. The ignorance of security is the same ignorance that will cause people to ignore this warning, naturally.

Re:Well duh.

Having to be conscious of this fact in some rental cars, every single time you turn the fucker on, is incredibly annoying. Better not touch your screen in the wrong spot when it connects and inquires if it can pilfer all your data this go around.

Looks like even though I am aware of this I must have touched the screen and bumped the OK button in my last rental without noticing, bluetooth settings says it had full access :/

Re:Well duh.

Why would anyone want to sync their mobile number and contacts to their car, anyway? What possible upside is there?

Re:Well duh.

Not sure if yours is a serious question or not - but it is simple. This is to enable hands-free calling. For people who want to make and receive calls while in the car driving, this is the only legal way to do it in many areas. Although to be fair, on my way to and from work every day I see likely 10 to 12 idiots with a phone up to their ear breaking the law. I've had occasion to be on the phone in my car - how hard is it to set the thing on the seat next to you and have the speaker phone mode on? Instead, these folks blatantly break the rules. Anyway, doing it through the car - where you can typically either press a button on the steering wheel and say "call my wife on mobile" or even dispense with pushing a button in some cases is convenient for people and legal. That's why it is becoming common.

Re: Well duh.

TFA says it may happen even when charging.

Re: Well duh.

I don't see what the problem is. I always take my bare dick and plug it in to all sorts of untrusted sockets. All you jerks don't know what you are talking about. Now if you'll excuse me, I'm late for my doctors appointment about something called aids or some shit, it's probably nothing...

Re: Well duh.

Don't forget the sage advice of never sticking your dick in crazy either. You never know what you could be getting into, but there are those that are going to do it anyways and learn the hard way. Either through ignorance or plain stupidity.

Just keep your shit to yourself. Whether it be phone, dick, or other. Simple.

Re: Well duh.

Even in the security realm there are no absolutes.

As to your post...

You have to stick your dick in crazy at least once. Just make sure you wrap that shit up. Use fkn saran wrap if you have to.

But do it at least once. You won't be disappointed.

Re:Well duh.

[GrumpySteen]

Perhaps you should consider changing the setting that enables/disables connections to unknown devices rather than whining about it doing what you've told it you want it to do.

And if your phone somehow doesn't have that setting, upgrade to literally any other phone on the market.

Re:Well duh.

Why can't the hands-free mode be a simple input device into the phone? I don't see why the car needs to know the contacts list for my phone any more than my keyboard needs to know the contacts list for my email program.

Re:Well duh.

[fahrbot-bot]

Same as don't stick an unknown usb drive into your computer.

Or, more generally: Don't stick an outie part into an innie part if either is unknown.

Re: Well duh.

The problem there is that they can hide the crazy for a couple of years :(

Re:Well duh.

[judoguy]

As a software developer I always seek to uncover the fundamental underlying rules from the requirements so... "Don't stick important thingie into untrusted, but attractive thingie."

Same advice my father gave me.

Re:Well duh.

[omnichad]

Caller ID over Bluetooth does not carry name (I think)

Re:Well duh.

[djrobxx]

It's nice to be able to scroll through your contacts and dial someone on the car's UI as opposed to having to use voice dialing or look at the phone's screen (especially for names that voice recognition has trouble getting right). I agree though, it's all more complicated than it needs to be.

A lot of cars don't support using the voice input function of the phone (e.g. Siri). So they need your contacts for the voice dialing via the car's recognition capability. Once Siri hit the mainstream, I found it amusing how auto manufacturers were touting "Siri support", as if they had to do anything other than support the basic bluetooth action button, which could activate Siri on my most ancient bluetooth headset.

Re: Well duh.

Exactly. No need to "sync" anything just to use the speakers.

Re: Well duh.

[Opportunist]

You sure as fuck don't want aids, believe me. I got hearing aids and now I know what people really think of me, I was so much better off when I didn't know.

Re:Well duh.

[Big+Hairy+Ian]

Sounds like a job for USB Condom! http://int3.cc/products/usbcon...

Re:Well duh.

[ripvlan]

I rented a car that had somebodies previous data still stored in the "radio." But it got me thinking- all I wanted to do was play my music. However, there was no obvious option (in this car) to simply allow music to play (via bluetooth). The "radio" demanded that I sync everything.

A different car that I rented allowed me to play music- only when using the USB interface - which worked well and had the added benefit of charging my battery (which is how I discovered this work around). Even this car's bluetooth demanded a semi-complete sync (although I could pick and choose a few options - phone/audio required an addressbook sync).

To be "secure by design" the requirements and use-cases need to flow. Most designers probably think of 100% ownership by the driver. Not the rental world of temporary borrowership.

Rental companies may want to place a "forget me" button on the dashboard. Only one car that I've rented had an easy & obvious method to erase the data (albeit down in a deep menu choice).

Re: Well duh.

Until marriage usually.

Re:Well duh.

[peawormsworth]

don't stick an unknown usb drive into your computer.

Don't even charge your phone using a rented USB port. In fact, never charge your phone on any data USB port, not even from your own computer. Use a wall power charger. Why risk the integrity of your trusted home computer by plugging in an uncontrolled device like the modern mobile phone?

This is just basic security.

Re:Well duh.

[nitehawk214]

Android phones can be set to charge only. though the communication USB port on cars will only provide 500 milliamps max. (the one in my Acura must be significantly worse, the phone would drain the battery if I am using it for GPS, even with the screen off)

Dedicated power chargers will provide the full 2.1 amps to charge the phone very fast, even when it is in use. Safer and more effective, what's not to like. Just keep an extra wall charger and 12v charger in your car.

Poetic Justice

You nerds are getting what you deserve, with your desire to put electronics and computers in everything. Poetic justice, I must say.

Re:Poetic Justice

[hawguy]

You nerds are getting what you deserve, with your desire to put electronics and computers in everything. Poetic justice, I must say.

Except it's not the nerds that have problems with this -- the nerds already know that they shouldn't plug (or sync) their phone into untrusted systems.

Re: Poetic Justice

Stop wanting stuff and we nerds will stop supplying it. Features like these are market driven.

Don't Sync

[corychristison]

Most vehicles have the option to not sync your contacts, but still connect via Bluetooth for hands free driving.

If you do sync your contacts, there is normally a fairly easy way to remove the data. I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

Re:Don't Sync

[plover]

I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

+1, funny!

Oh, wait, you were serious? You're lucky if a rental company runs a vacuum cleaner over the floors before they turn the car over to the next renter. Cleaning data would be like so far down the list of stuff they do that "never" comes before it.

Re:Don't Sync

[OzPeter]

I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

+1, funny!

Oh, wait, you were serious? You're lucky if a rental company runs a vacuum cleaner over the floors before they turn the car over to the next renter. Cleaning data would be like so far down the list of stuff they do that "never" comes before it.

Too right. I once rented a car from Hertz that came with their branded GPS system (which I didn't need because I had my own system). Every time I started that car the Hertz GPS would flash up a message "Welcome [name of previous renter]" and showed me where she had been on all of her trips. I'm sure if I dug down I would have been able to find lots more information about here. As it was I spent my time trying to figure out how to keep the damn thing turned off as it was a distraction that I didn't want.

Re:Don't Sync

[Zocalo]

As someone who frequently uses hire cars, I can absolutely back this up with experience. I have *never* seen any sign that a rental agency has wiped data captured from previous renters; where applicable there has almost always been previous satnav destinations, playlists, media files, and other details saved on the in-car system. Ideally, the only thing you want to connect your phone to in a rental is a USB charging cable plugged into the cigarette lighter, but failing that at least make sure that you have established what data will transfer and how you can wipe it once your rental is over although even that is assuming that the car won't do something stupid to your phone.

Re:Don't Sync

Do all new cars have cigarette lighters these days?

Re: Don't Sync

The last 2 I rented didn't have aux ports, so no tunes for me!

Re:Don't Sync

[Zocalo]

They seem to, at least unless you specifically opt not to have one when buying new - I've certainly never had a hire car without one yet, and they're typically less than a year or two old. Unless it's going to market in those countries where smoking is still a widely accepted thing to do, I think the general expectation from manufacturers is that it's increasingly more likely to be used for power rather than as an actual cigarette lighter though.

Re:Don't Sync

[mkremer]

When I leased me vehicle last year they were all referred to as power points and did not come with a cigarette lighter and there is no ash tray either.

Re:Don't Sync

[thewolfkin]

they exist only to power cell phones but the ports are there. most telling they often don't have the lighter attachment since no one actually lights cigarettes anymore but they still need the port so it's there with a cap instead of a plug.

Re:Don't Sync

[fgouget]

I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

Given that they don't seem to check tire pressure or verify wiper fluid level (both of which impact safety), I think expecting them to reset the infotainment system is pretty unrealistic.

Alternative

The cigarette lighter to usb adapters are cheap. They work for charging. If you need more than the built in speakerphone, you could bring something like a visor clip bluetooth speaker and microphone. That too could be charged from a second port on the cigarette lighter adapter.

In general though you have to regard a rental cars systems as potentially compromised. It would be like buying a used computer and trusted the OS load on it not to be full of malware.. Well it is perhaps not that bad yet, but give it time...

How is this news?

This has been the case for years. Did someone just wake up and realize this is happening? Oh wait, the government. iDarwin...this is not survival of the dumbest. Let their data be mined, just like all the Pokemon Go sheep.

Re:How is this news?

[cjjjer]

Actually it depends on the car manufacture, Ford for example and the now defunct My Ford Touch software makes you manually pair the Bluetooth device the first time rather than automagically. Not sure if that will be the case with the new sync 3 software on the horizon.

That is not your data.

This isn't your data to begin with. Information stored about you (such as texts, phone numbers, call logs) are bits on a storage device owned by the service provider.

All this NSA / Snowden leak info should tell people they don't own the data that is about them. If you connect to a rental car, all your doing is syncing one company's data with another, none of which is yours.

Re:That is not your data.

Data pertaining to you is "your data" by definition. It doesn't matter whether you "own" it. You don't own your mother either, but she's still your mom.

Is this a serious problem?

[hawguy]

Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

Thousands of car rental employees mining car entertainment systems for data seems like an awfully inefficient way for hackers to harvest data when it's far easier to do the same thing by releasing a trojan horse app to collect the data.

Re:Is this a serious problem?

[OzPeter]

Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

Who says it will be the rental company employees doing the mining?

If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

Re:Is this a serious problem?

What if the trojan horse is installed on the rental car because someone previously hacked it, and it gets onto your phone the moment you plug it in?

Phones need a "don't sync anything by default" setting where they can have a bluetooth or usb connection for regular phone operations, but nothing else. Same on the car side.

The risks when you use someone else's car are obvious whether it's a rental or you are borrowing a friend's car.

Re:Is this a serious problem?

Look, just because you're not constantly on the run from a ring of international assassins, does not mean nobody else has these concerns.

Some of us value our lives.

Re:Is this a serious problem?

[BlackPignouf]

You seem to be intelligent, know your subject and write good arguments.
Could I kindly ask you to leave Slashdot?

Re:Is this a serious problem?

[hawguy]

Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

Who says it will be the rental company employees doing the mining?

If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

Re:Is this a serious problem?

[OzPeter]

Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

Considering that CEO fraud amounts are in the hundreds of millions annually, $125 a day for a car is peanuts.

And why would you need to change false IDs all the time? Do you really think that a victim is going to say 6 months down the road "Hmm .. my contact information got skimmed somewhere .. I bet it was that rental car I used 6 months ago was where I leaked. I better get the cops to investigate every other person who rented that same car after me." By that time the money is long gone.

Re:Is this a serious problem?

Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

Who says it will be the rental company employees doing the mining?

If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

IP is valuable. A foreign country could likely find out which car rental companies are favored by certain companies. Mining the data from their employees indirectly is a good way to start a social engineering based attack. Of course if you could somehow load a malicious payload onto their device then you may have a long term surveillance tool.

Seriously, if you could load arbitrary code on a phone, how hard would it to be to record all calls and send them to a foreign server compressed at say 8Kbps?

Hell it doesn't even have to be direct attacks at IP. Just the insider trading possibilities are endless. Combine the two and you may have a profitable, if highly illegal business...

Voice memos

Captain's log – stardate 3352.4
Due to a transporter malfunction, we have been stranded on the surface of Earth in the year 2016. We have been unable to find means to return and have learned to survive by following the cultural phenomena known as ComicCon.

Don't tell me what to do!

Everybody tracks everyone, everybody keeps all the information they can get, the most trivial of interactions leave consumers vulnerable, and the FTC warns consumers, who are not even theoretically in full control of their devices, not to charge their phones in a rental car? I say charge all you want and SUE THE FUCKERS who sniff your data and the greedy arseholes who built your phone. If they wanna be root on your devices, they better be held responsible.

Tear it out

If I were to purchase a new car (something I would never do because it is a waste of money) I would ask them to tear out all the "connected" garbage. Aftermarket sounds systems are always better anyway.

remember when..

a car was just a car...
a phone was just a phone...
a television was just a television...

Re:remember when..

a television was just a television...

What is a... "television"?

Flip Sideu

So I suppose that you should wipe all data from your own car when you take it in for servicing. This might keep the mechanics and other service personal from accessing your phone records, trip logs and so forth, although the car company itself probably has all of that info already from over the air.

People don't care

If millenials cared about their privacy, they wouldn't post each and every minute detail of their private lives on Facebook or Instagram.

A wise man once said that democracy is thyrany of the cluless masses over the thinking minority.

Proper order of operations

[wjcofkc]

"Unless you delete that data before you return the car, other people may view it, including hackers, rental car employees or even future renters."

There, fixed that. It would be fun to see this in Mr. Robot, the least (but not without) face-palming I have ever had to do when it comes to the fictional portrayal of "hackers".

iPhone 7 anyone?

With Apple removing the 3.5mm plug from the iPhone 7, this is yet another inconvenience for any potential buyer, as bluetooth streaming OR remembering to bring YET ANOTHER adapter are the only options.

Apple HATES people who travel, or they really don't care for them very much as customers.

Either way, it's a middle finger to consumer options.

Goes for buying used cars too

I bought a used car and it still had previous owners numbers in it. Don't expect the dealer to do it, they basically wash em and detail em and push out on the lot these days. But if your using a rental car the ability to know how the erase all that data can be confusing. Not likely something people think about very much, but obviously should. Reminds me of a rather significant figure on how many notebooks go lost in airports. I mean, how do you forget your notebook? Or smartphone for that matter? Of course parents leave kids in hot cars to die, so what do I know. Maybe humans are getting dumber by the day.

FTC Warns Drooling Morons

The FTC warned drooling morons that by leaving lists of their private information in a public place, other people could read i the information.

The FTC failed to also warn the drooling morons about GPS location histories in rental cars, giving subsequent renters a detailed list of your travel destinations.

Truth be told though, the omission is probably a moot point anyway, as no one sees or pays any attention to the FTC's announcements. This is most especially true for drooling morons.

What moron ...

[PPH]

... has designed a device that will automatically sync data without authenticating the peer first? I mean other than the ones that were leaned on by the NSA to make surveillance by law enforcement easy.

Needs to be said, won't be listened to

[ErichTheRed]

Lots of techies forget that 99% of the population does not care about the how it works when it comes to technology -- they care about whether it works and is easy to figure out. Phone operating systems don't even have the concept of user-accessible storage and filesystems. Of course it's all there under the hood, but it's abstracted away. All data is stored in an app-specific data store in the cloud as far as users are concerned.

Warnings like this and the "check what's in the address bar before you hand over your password" type of message need to be given. Few will listen, but putting it out there doesn't hurt. We now have what was asked for in the past -- end user systems that have almost no complexity and learning curve. It makes sense that newer generations growing up with this aren't used to files, filesystems, the concept of stored data and so on.

Re:Needs to be said, won't be listened to

[sound+vision]

You generally have to be at least 25 years old to rent a car. I'm 27... my elementary school had a lab of Apple IIs and System 7 Macs. The first computer I owned ran Windows 95. After using these systems the concept of a file, and data storage, aren't foreign. By the time the iPhone was released I had already graduated high school. It's a knowledge thing, not a generation thing.

Re: Needs to be said, won't be listened to

My senior high school had two ASR-33 teletypes, plus two faster terminals: a TI Silent 700 and a CRT dumb terminal. The fast connections were 300 baud. The teletypes were 110 baud.

Re: Needs to be said, won't be listened to

[Cro+Magnon]

My senior high school had two ASR-33 teletypes, plus two faster terminals: a TI Silent 700 and a CRT dumb terminal. The fast connections were 300 baud. The teletypes were 110 baud.

I didn't need all that fancy stuff in high school. My chisel and stone tablets worked fine.

FUD

[speedlaw]

This is silly. Every rental/loaner I've ever had has already five phones paired. I delete everything, and pair mine. When the car goes back I make sure I"ve deleted my profile as well. If you can read slashdot, you can figure this out, be it iDrive, Sync, CUE or AcuraLink. I'd be more concerned with leaving addresses in the satnav...but I blank those too.

"...or even hackers"

[Opportunist]

WTF?

So "hackers" is the new "criminals who use some kind of technology"? Or just "who use stuff I don't have no clue whatsoever but insist in using regardless?"

Seriously, I really, really, really wish you could kill people with a computer remotely. Only then we have at least a minimal chance to get people to actually know what they're doing with their boxes, and some idiots wouldn't be allowed near one because they'd endanger themselves and others.