FTC Warns Consumers: Don't Sync To Your Rental Car!

Slashdot reader chicksdaddy quotes an article from Security Ledger: The Federal Trade Commission is warning consumers to beware of new 'connected car' features that allow rental car customers to connect their mobile phone or other devices to in-vehicle infotainment systems. "If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages," the FTC said in an advisory released on Tuesday. "Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers."

The Commission is advising renters to avoid syncing their mobile phones to their rental car, or to power devices via a USB port, where settings on your device may allow automatic syncing of data. Consumers who do connect their device should scrutinize any requests for permissions.
Security researchers have also discovered another car-related vulnerability. The software connecting smartphones to in-vehicle "infotainment" systems could also make cars vulnerable to remote attacks.

Well duh.

[nitehawk214]

Don't sync your devices to untrusted devices. Same as don't stick an unknown usb drive into your computer.

Though this warning is useful since most normal users may not be aware of the security risk. The ignorance of security is the same ignorance that will cause people to ignore this warning, naturally.

Re:Well duh.

Why would anyone want to sync their mobile number and contacts to their car, anyway? What possible upside is there?

Re:Well duh.

Not sure if yours is a serious question or not - but it is simple. This is to enable hands-free calling. For people who want to make and receive calls while in the car driving, this is the only legal way to do it in many areas. Although to be fair, on my way to and from work every day I see likely 10 to 12 idiots with a phone up to their ear breaking the law. I've had occasion to be on the phone in my car - how hard is it to set the thing on the seat next to you and have the speaker phone mode on? Instead, these folks blatantly break the rules. Anyway, doing it through the car - where you can typically either press a button on the steering wheel and say "call my wife on mobile" or even dispense with pushing a button in some cases is convenient for people and legal. That's why it is becoming common.

Re: Well duh.

Even in the security realm there are no absolutes.

As to your post...

You have to stick your dick in crazy at least once. Just make sure you wrap that shit up. Use fkn saran wrap if you have to.

But do it at least once. You won't be disappointed.

Re:Well duh.

[GrumpySteen]

Perhaps you should consider changing the setting that enables/disables connections to unknown devices rather than whining about it doing what you've told it you want it to do.

And if your phone somehow doesn't have that setting, upgrade to literally any other phone on the market.

Re:Well duh.

[fahrbot-bot]

Same as don't stick an unknown usb drive into your computer.

Or, more generally: Don't stick an outie part into an innie part if either is unknown.

Re:Well duh.

[judoguy]

As a software developer I always seek to uncover the fundamental underlying rules from the requirements so... "Don't stick important thingie into untrusted, but attractive thingie."

Same advice my father gave me.

Re:Well duh.

[omnichad]

Caller ID over Bluetooth does not carry name (I think)

Re:Well duh.

[djrobxx]

It's nice to be able to scroll through your contacts and dial someone on the car's UI as opposed to having to use voice dialing or look at the phone's screen (especially for names that voice recognition has trouble getting right). I agree though, it's all more complicated than it needs to be.

A lot of cars don't support using the voice input function of the phone (e.g. Siri). So they need your contacts for the voice dialing via the car's recognition capability. Once Siri hit the mainstream, I found it amusing how auto manufacturers were touting "Siri support", as if they had to do anything other than support the basic bluetooth action button, which could activate Siri on my most ancient bluetooth headset.

Re: Well duh.

[Opportunist]

You sure as fuck don't want aids, believe me. I got hearing aids and now I know what people really think of me, I was so much better off when I didn't know.

Re:Well duh.

[Big+Hairy+Ian]

Sounds like a job for USB Condom! http://int3.cc/products/usbcon...

Re:Well duh.

[ripvlan]

I rented a car that had somebodies previous data still stored in the "radio." But it got me thinking- all I wanted to do was play my music. However, there was no obvious option (in this car) to simply allow music to play (via bluetooth). The "radio" demanded that I sync everything.

A different car that I rented allowed me to play music- only when using the USB interface - which worked well and had the added benefit of charging my battery (which is how I discovered this work around). Even this car's bluetooth demanded a semi-complete sync (although I could pick and choose a few options - phone/audio required an addressbook sync).

To be "secure by design" the requirements and use-cases need to flow. Most designers probably think of 100% ownership by the driver. Not the rental world of temporary borrowership.

Rental companies may want to place a "forget me" button on the dashboard. Only one car that I've rented had an easy & obvious method to erase the data (albeit down in a deep menu choice).

Re:Well duh.

[peawormsworth]

don't stick an unknown usb drive into your computer.

Don't even charge your phone using a rented USB port. In fact, never charge your phone on any data USB port, not even from your own computer. Use a wall power charger. Why risk the integrity of your trusted home computer by plugging in an uncontrolled device like the modern mobile phone?

This is just basic security.

Re:Well duh.

[nitehawk214]

Android phones can be set to charge only. though the communication USB port on cars will only provide 500 milliamps max. (the one in my Acura must be significantly worse, the phone would drain the battery if I am using it for GPS, even with the screen off)

Dedicated power chargers will provide the full 2.1 amps to charge the phone very fast, even when it is in use. Safer and more effective, what's not to like. Just keep an extra wall charger and 12v charger in your car.

Don't Sync

[corychristison]

Most vehicles have the option to not sync your contacts, but still connect via Bluetooth for hands free driving.

If you do sync your contacts, there is normally a fairly easy way to remove the data. I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

Re:Don't Sync

[plover]

I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

+1, funny!

Oh, wait, you were serious? You're lucky if a rental company runs a vacuum cleaner over the floors before they turn the car over to the next renter. Cleaning data would be like so far down the list of stuff they do that "never" comes before it.

Re:Don't Sync

[OzPeter]

I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

+1, funny!

Oh, wait, you were serious? You're lucky if a rental company runs a vacuum cleaner over the floors before they turn the car over to the next renter. Cleaning data would be like so far down the list of stuff they do that "never" comes before it.

Too right. I once rented a car from Hertz that came with their branded GPS system (which I didn't need because I had my own system). Every time I started that car the Hertz GPS would flash up a message "Welcome [name of previous renter]" and showed me where she had been on all of her trips. I'm sure if I dug down I would have been able to find lots more information about here. As it was I spent my time trying to figure out how to keep the damn thing turned off as it was a distraction that I didn't want.

Re:Don't Sync

[Zocalo]

As someone who frequently uses hire cars, I can absolutely back this up with experience. I have *never* seen any sign that a rental agency has wiped data captured from previous renters; where applicable there has almost always been previous satnav destinations, playlists, media files, and other details saved on the in-car system. Ideally, the only thing you want to connect your phone to in a rental is a USB charging cable plugged into the cigarette lighter, but failing that at least make sure that you have established what data will transfer and how you can wipe it once your rental is over although even that is assuming that the car won't do something stupid to your phone.

Re:Don't Sync

[Zocalo]

They seem to, at least unless you specifically opt not to have one when buying new - I've certainly never had a hire car without one yet, and they're typically less than a year or two old. Unless it's going to market in those countries where smoking is still a widely accepted thing to do, I think the general expectation from manufacturers is that it's increasingly more likely to be used for power rather than as an actual cigarette lighter though.

Re:Don't Sync

[mkremer]

When I leased me vehicle last year they were all referred to as power points and did not come with a cigarette lighter and there is no ash tray either.

Re:Don't Sync

[thewolfkin]

they exist only to power cell phones but the ports are there. most telling they often don't have the lighter attachment since no one actually lights cigarettes anymore but they still need the port so it's there with a cap instead of a plug.

Re:Don't Sync

[fgouget]

I would hope that the rental company would reset the system in part of their cleanup/inspection after return, however.

Given that they don't seem to check tire pressure or verify wiper fluid level (both of which impact safety), I think expecting them to reset the infotainment system is pretty unrealistic.

Re:Poetic Justice

[hawguy]

You nerds are getting what you deserve, with your desire to put electronics and computers in everything. Poetic justice, I must say.

Except it's not the nerds that have problems with this -- the nerds already know that they shouldn't plug (or sync) their phone into untrusted systems.

That is not your data.

This isn't your data to begin with. Information stored about you (such as texts, phone numbers, call logs) are bits on a storage device owned by the service provider.

All this NSA / Snowden leak info should tell people they don't own the data that is about them. If you connect to a rental car, all your doing is syncing one company's data with another, none of which is yours.

Re:Is this a serious problem?

[OzPeter]

Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

Who says it will be the rental company employees doing the mining?

If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

Re:Is this a serious problem?

[BlackPignouf]

You seem to be intelligent, know your subject and write good arguments.
Could I kindly ask you to leave Slashdot?

Re:How is this news?

[cjjjer]

Actually it depends on the car manufacture, Ford for example and the now defunct My Ford Touch software makes you manually pair the Bluetooth device the first time rather than automagically. Not sure if that will be the case with the new sync 3 software on the horizon.

Re:Is this a serious problem?

[hawguy]

Even if I did share my contact list or SMS messages with the car, what are rental car clerks going to do with my contacts or a text message from my sister that reads "When are you going to be here?"?

Who says it will be the rental company employees doing the mining?

If I was a nefarious person I would rental high end cars from major airports for a day and see if any business people used the car and left any juicy details in the info system that would be very useful for social engineering attacks.

Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

Flip Sideu

So I suppose that you should wipe all data from your own car when you take it in for servicing. This might keep the mechanics and other service personal from accessing your phone records, trip logs and so forth, although the car company itself probably has all of that info already from over the air.

Proper order of operations

[wjcofkc]

"Unless you delete that data before you return the car, other people may view it, including hackers, rental car employees or even future renters."

There, fixed that. It would be fun to see this in Mr. Robot, the least (but not without) face-palming I have ever had to do when it comes to the fictional portrayal of "hackers".

Re:Is this a serious problem?

[OzPeter]

Would you really? You'd spend $125 a pop just on the off chance you'd find something valuable? And since you don't want it tracked back to you, you'd use a stolen identity and credit card each time?

I said "rental car clerks" because they are the ones that have free access to every single car and it doesn't make sense to rent a car for an entire day for a 30 second operation.

Considering that CEO fraud amounts are in the hundreds of millions annually, $125 a day for a car is peanuts.

And why would you need to change false IDs all the time? Do you really think that a victim is going to say 6 months down the road "Hmm .. my contact information got skimmed somewhere .. I bet it was that rental car I used 6 months ago was where I leaked. I better get the cops to investigate every other person who rented that same car after me." By that time the money is long gone.

What moron ...

[PPH]

... has designed a device that will automatically sync data without authenticating the peer first? I mean other than the ones that were leaned on by the NSA to make surveillance by law enforcement easy.

Needs to be said, won't be listened to

[ErichTheRed]

Lots of techies forget that 99% of the population does not care about the how it works when it comes to technology -- they care about whether it works and is easy to figure out. Phone operating systems don't even have the concept of user-accessible storage and filesystems. Of course it's all there under the hood, but it's abstracted away. All data is stored in an app-specific data store in the cloud as far as users are concerned.

Warnings like this and the "check what's in the address bar before you hand over your password" type of message need to be given. Few will listen, but putting it out there doesn't hurt. We now have what was asked for in the past -- end user systems that have almost no complexity and learning curve. It makes sense that newer generations growing up with this aren't used to files, filesystems, the concept of stored data and so on.

Re:Needs to be said, won't be listened to

[sound+vision]

You generally have to be at least 25 years old to rent a car. I'm 27... my elementary school had a lab of Apple IIs and System 7 Macs. The first computer I owned ran Windows 95. After using these systems the concept of a file, and data storage, aren't foreign. By the time the iPhone was released I had already graduated high school. It's a knowledge thing, not a generation thing.

Re: Needs to be said, won't be listened to

[Cro+Magnon]

My senior high school had two ASR-33 teletypes, plus two faster terminals: a TI Silent 700 and a CRT dumb terminal. The fast connections were 300 baud. The teletypes were 110 baud.

I didn't need all that fancy stuff in high school. My chisel and stone tablets worked fine.

FUD

[speedlaw]

This is silly. Every rental/loaner I've ever had has already five phones paired. I delete everything, and pair mine. When the car goes back I make sure I"ve deleted my profile as well. If you can read slashdot, you can figure this out, be it iDrive, Sync, CUE or AcuraLink. I'd be more concerned with leaving addresses in the satnav...but I blank those too.

"...or even hackers"

[Opportunist]

WTF?

So "hackers" is the new "criminals who use some kind of technology"? Or just "who use stuff I don't have no clue whatsoever but insist in using regardless?"

Seriously, I really, really, really wish you could kill people with a computer remotely. Only then we have at least a minimal chance to get people to actually know what they're doing with their boxes, and some idiots wouldn't be allowed near one because they'd endanger themselves and others.