Renting a car and connecting your phone to the infotainment system? Be aware of the potential privacy risks.

• It is crucial to avoid syncing your mobile device to a rental car's infotainment system as it poses a security risk, and car rental companies like Avis and Enterprise hold customers responsible legally.
• An seemingly harmless action can reveal a wealth of confidential data, including contact lists, voice and text messages, passwords, garage codes, GPS coordinates, and medical and financial information.
• Fewer than half of those who sync their smartphones to rental vehicles remember to erase their profiles and data before returning the car.

The Avis data breach that exposed the sensitive information of 300,000 customers revealed the rental car industry's critical vulnerabilities.

Another security risk that drivers overlook when using a rental car is the personal data they unknowingly leave behind when syncing their mobile device to the rental car's infotainment system.

This seemingly harmless action can reveal a wealth of sensitive data, including contact lists, voice and text messages, passwords, garage codes, GPS data, and medical and financial information, according to privacy experts.

Embedded connectivity in cars is becoming a growing concern for data privacy as they become more like mobile computers, with over 95% of passenger cars sold likely to have connectivity by 2030. This has reached the level of a national security concern, with the Biden administration announcing this week that it plans to ban any connected cars with Chinese hardware or software from entering the US market.

Cybersecurity expert Andrea Amico, founder of Privacy4Cars, claims that rental cars are equipped with digital vaults that store your information every time you connect your phone, and this information remains accessible to other renters, car rental employees, car manufacturers, and cybercriminals until it is manually deleted.

Hartford Steam Boiler's chief product and risk officer, James Hajjar, stated that most consumers are unaware of the threat posed by emerging cybersecurity risks and take little action to protect themselves. Hajjar pointed out that 57% of people sync their smartphones to rental vehicles, but only about half of them remember to delete their profiles and data before returning the car.

The failure to delete GPS data isn't just about privacy; it's about security. With enough data points, bad actors can map out your routines and even connect that data to social media accounts, creating detailed profiles ripe for exploitation, said Amico.

"Clyde Williamson, senior product security architect at Protegrity, stated that while it would be challenging to use the information to steal someone's identity, it could be enough to identify who they are and where they've been. This information might be more than enough for someone to sell it to a scammer who would call and try to trick your grandma out of money by claiming you were in an accident or arrested. This type of attack is more common than stealing someone's identity and attempting to open a credit card."

Privacy policies say the customer is responsible

To better safeguard customers, car rental companies should adopt best practices, as experts agree.

John Price, CEO of cybersecurity firm SubRosa, stresses that rental companies must safeguard this information from unauthorized access as it falls under the purview of data-protection responsibilities expected of businesses dealing with personally identifiable information (PII). However, many rental companies fail to implement adequate safeguards.

Avis and Enterprise's privacy policies state that customers are responsible for deleting any data from their devices before syncing them to the car's systems. The rental car companies also warn that they are not liable for any data left in the vehicle.

Most customers are unaware that syncing their mobile devices to these systems instantly grants permission to the companies to access their personal data. These policies are not always explicitly communicated during the rental process, leaving consumers to navigate the fine print of privacy policies they almost always never read.

Amico stated that it is not fair to place the responsibility on consumers. In car rental agreements, it is stated that the data left in the car is the consumer's problem. It is not possible to assign regulatory responsibility to the consumer.

Pvotal Technologies CEO Yashin Manraj stated that although Android Auto and Apple CarPlay have enhanced data protection, there is still a considerable distance to achieving complete safety for syncing data in rental vehicles.

Manraj stated that in 2022, a grassroots movement urged rental companies and manufacturers to establish temporary virtual environments to store customers' data during use and erase it immediately after the rental period. This would have been the quickest solution to address all ongoing concerns. However, this measure was swiftly abandoned and disregarded because there was no legislative support or financial benefits to the manufacturers.

Janssen-Anessi recommended that rental car companies implement automatic data wiping between rentals as a universal measure to better protect customer information.

Paul Bischoff, a consumer privacy advocate at Comparitech, advised that customers should be cautioned about the dangers of linking their devices to rental vehicles and urged them to disconnect when the rental period ended.

Car manufacturers should implement encryption protocols in infotainment systems to safeguard stored data, while rental companies should instruct customers on the dangers of syncing their devices to rental vehicles and offer instructions on how to erase their data.

Manraj suggested that warning messages should be displayed on smartphones when they are plugged into car rentals, informing drivers about data being stored, cached, or accessed. Additionally, temporary guest profiles that are automatically deleted after the rental session ends could significantly minimize the risk of residual data being left behind.

It all comes down to one thing, said Williamson: avoid plugging your phone into a rental car unless you're willing to take the risk.

To protect your information, experts suggest taking the following steps:

Steps to take with data when returning a rental

Disconnect your phone from the car's Wi-Fi and Bluetooth settings by opening the car's infotainment system and navigating to the Bluetooth or Wi-Fi settings. Look for the list of paired devices and ensure you manually disconnect any that belong to you.

To protect your privacy, you can clear out your location history in the car's navigation settings. This will erase any saved destinations, routes, or recent searches that could reveal personal information such as your home or work address.

To completely erase all data from the infotainment system, look for the factory reset option in the system settings. This will restore the system to its original state, removing any personal data or paired devices that may have been stored.