Travelers, beware! Hacking lurks in plugs and ports

Last time I rented a car, its onboard infotainment system offered to pair with my iPhone, and I instinctively pushed the “yes” button.

Wrong answer.

Such convenient connections can be a trap for travelers, experts warn. The Federal Trade Commission recently sounded the alarm on smartphones interfacing with the onboard computers of rental cars, saying it could expose your personal information to future renters, employees or even hackers. There are other sources of danger for your data, including those charging stations at the airport and, of course, those “free” Internet hot spots in your hotel lobby.

Bottom line: You need to practice safe connecting with that gleaming new smartphone you got for the holidays. Tell you how in a second.

“Smart systems installed in vehicles provide a new way for hackers to steal information or install dangerous software on your phone,” warns Henry Carter, a computer science professor at Villanova University. “A malicious application could theoretically be installed that would automatically tamper with any mobile devices that were connected to the vehicle.”

I haven’t received any complaints from car renters about malicious software, but that doesn’t mean data haven’t been compromised.

Cars are essentially computers on wheels, says John Michelsen, chief product officer at Zimperium, an enterprise mobile security company. Consider the Ford F-150, whose onboard computer system has 150 million lines of code. That’s more programming than a Boeing 787, which has 7 million lines of code. You don’t know what the computer will do with the data you shared once you return the car to the lot, and chances are, neither does the car rental company.

Related story:   Oh no! I missed my connection and had to pay extra

“You may be prompted to ‘trust this computer’ when plugging in your phone,” he says. “It’s best to not trust it.”

What else shouldn’t you trust? The “free” USB charging station at the airport. Plug in your phone or tablet and an infected station can take over your device via something called “juice jacking.” I’m not making this up. Juice jacking is a real thing.

“It’s a potential vulnerability,” says Seth Ruden, a senior fraud consultant at ACI Worldwide, an electronic payment systems company. “Some organizations have demonstrated that juice jacking can access private or sensitive information in a device, while physical access to its port can be one of the most high-value avenues to exploit any weakness or vulnerability the device has.”

Again, no one I know has been juice-jacked, but that doesn’t mean it can’t happen.

“You are at risk. Simple as that,” says Chris Roberts, chief security architect at Acalvio, a developer of advanced threat detection and defense solutions. “Charging stations are nothing more than potential data-harvesting points.”

Scared yet? Well, those two threats pale in comparison to the “free” wireless networks at hotels and airports, according to experts.

“There’s significant risk with using Wi-Fi at airports, hotels and cafes to access the Internet,” says Robert D’Ovidio, an associate professor of criminal justice at Drexel University who specializes in cybercrime. The risk is from poor authentication procedures and unencrypted networks, which can expose your username and password to hackers on the network.

Jerry Irvine, the chief information officer of Prescient Solutions, puts it bluntly: “Do not use public Wi-Fi. Do not configure Wi-Fi networks or Bluetooth to automatically connect to your device.”

Related story:   Every traveler’s eternal question: ‘It’s 2017, why don’t we have Wi-Fi on all planes?’

Have I heard from any readers who have been a victim of this? No. And as far as I know, none of my personal information shared with my last rental car was swiped by the bad guys.

But see, that’s the nefarious thing about these attacks. They can’t always be traced back to a malicious hacker on the network or in the charging station or on your car rental infotainment system. If your data have been compromised in any way while you’ve traveled, this could be why, but you’ll probably never know.

There is something all of these threats have in common. They’re all “free.” The infotainment system is part of the car. The recharging station is complimentary. And the lobby Wi-Fi is almost always free.

Maybe there’s a broader lesson about the hidden dangers of everything the travel industry claims is free but is not. If you’d rather not hurt your brain thinking about that, you can take steps to avoid these hacks (see below), but perhaps the easiest way is to walk away. To paraphrase Robert Heinlein, there ain’t no such thing as “free.”

How to practice safe connecting

• Use a virtual private network (VPN). A VPN creates a secure encrypted tunnel between your device and a server somewhere on the Internet. That makes it nearly impossible for someone on the same network to eavesdrop on your network traffic. Also, it can mask your physical location. “The added benefit of appearing to still be in the city where you live even when you share something from abroad makes it more difficult for people to pinpoint when you’re home and when you’re out of town,” says Chris Schmidt, the chief guidance officer for Codiscope, a developer of security software.

Related story:   What does politics have to do with consumer advocacy? Everything.

• Tell your phone to say “no.” Disable location services, Bluetooth and Wi-Fi when possible. Also, think about the permissions associated with third-party apps, which may have access to your microphone, camera and contacts. “If you need to play games on your mobile, then disable Internet access to those apps,” says Darren Hayes, a digital forensics and cybersecurity expert at Pace University.

• Use caution in cars. When renting a car, either manually enter the address into the car’s navigation system or use your own device, but don’t connect to the infotainment system, says Judi Jacobs, founder of the technology education site “Do not connect your phone via the USB outlet connection in a rental car,” she says. “Use the cigarette lighter, which only charges your device without grabbing data.”

Christopher Elliott

Christopher Elliott is an author, journalist and consumer advocate. You can read more about him on his personal website or check out his adventures on his family adventure travel site. Contact him at

  • Jeff W.

    Be careful in your choice of VPN apps. There have been recent news stories regarding how insecure some of these VPN apps really are. How a good majority leak data and some contain malware and other negative features.

    If you are using a “free” VPN app, that is not really free — just like the hotspot. The maker of the software is not providing the service out of the goodness of their hearts.

    But when you use a public wi-fi, make sure you are connecting to a legitimate network hotspot. Cyber-criminals may create a hotspot with a similar name to that which is being provided. The airport, library, Starbucks, wherever should have some physical sign somewhere that identifies the real network name to connect to.

  • SSpiffy

    Avoiding juice jacking is easy. Pick up a “power only” USB cable from Amazon or your local electronics store. Under $10 and you’re juiced and safe.

  • disqus_00YDCZxqDV

    Google “USB Condom”. It is really a thing! It allows your phone to be charged while disconnecting all the data lines that may be used for nefarious purposes (same as plugging it into a cigarette lighter socket)

  • Bill___A

    I’ve had those for a year or more, and although they are not lightning, I use a lightning adaptor with them so it works for most things I use…

  • Bill___A

    I usually check out the IP address and track it to the provider so I know it is who the vendor usually deals with. And I also have a paid for VPN (whose annual fee is now due unfortunately) but it is worth the money.

  • PsyGuy

    For that matter what about the USB ports on airplanes? My solution has always been to either use my own adapter and plug it into an outlet or charge my portable battery using the USB ports and then charge my phone from that.

    Another issue to be weary of is who is running the free internet in a particular area. Its very easy for someone to show up in a public place with a laptop and create a wireless hotspot by internet sharing with a network name that is very close to what the actual free internet is. If you connect to the fake hotspot then the scammer has access to your web traffic and your device.

    My best advice is to be very careful with what you do over a public network, don’t do banking, don’t make purchases by bank card. Wait until you are on a known network.

  • PsyGuy

    There is no such thing as a free VPN.

  • Jeff W.

    The Google Play store is littered with apps that claim to provide free VPN abilities. Like many apps in the store, you cannot always tell the good from the bad without knowing. The comments in the store can also be as meaningless as those on Trip Advisor.

    A true and high-quality VPN would be one where you either pay for the app or pay for via subscription. And there may be free VPN apps that offer some features of VPN, but not everything. And should it be a free app from a reputable company, they are getting paid somehow. Could be ads, could be something else on the phone — check the permissions.

  • Tim

    I know this may be too-heavy packing, but I carry a USB thumb drive with a bunch of music on it. I can plug this in to my rental car and jam to my music without connecting my phone to the car.

    I also carry a GPS that has a Bluetooth connection to my phone so I do not have to connect my phone to the car.

    Another thing: whenever I plug my phone in to my computer’s USB port, I get a message that my phone is connected to a computer and offers me the option to charge only, connect to the computer, etc. Is this unique to Blackberry or is there a similar message on IOS and Android?

  • William Leeper

    I have a free VPN. I actually configured it myself and other than the internet subscription at home, it doesn’t cost me anything.

  • William Leeper

    I don’t know about android, but IOS asks you to “trust” or “don’t trust” the device you are connected to. If you don’t trust it, it is charge only. If you do, it data connects; however, IOS natively protects its OS and Data. The only thing accessible from a computer are the photos unless you sync with iTunes.

  • PsyGuy

    Which isn’t free, you pay for your internet service fee.

Get smart. Sign up for the newsletter.