Last time I rented a car, its onboard infotainment system offered to pair with my iPhone, and I instinctively pushed the “yes” button.
Such convenient connections can be a trap for travelers, experts warn. The Federal Trade Commission recently sounded the alarm on smartphones interfacing with the onboard computers of rental cars, saying it could expose your personal information to future renters, employees or even hackers. There are other sources of danger for your data, including those charging stations at the airport and, of course, those “free” Internet hot spots in your hotel lobby.
Bottom line: You need to practice safe connecting with that gleaming new smartphone you got for the holidays. Tell you how in a second.
“Smart systems installed in vehicles provide a new way for hackers to steal information or install dangerous software on your phone,” warns Henry Carter, a computer science professor at Villanova University. “A malicious application could theoretically be installed that would automatically tamper with any mobile devices that were connected to the vehicle.”
I haven’t received any complaints from car renters about malicious software, but that doesn’t mean data haven’t been compromised.
Cars are essentially computers on wheels, says John Michelsen, chief product officer at Zimperium, an enterprise mobile security company. Consider the Ford F-150, whose onboard computer system has 150 million lines of code. That’s more programming than a Boeing 787, which has 7 million lines of code. You don’t know what the computer will do with the data you shared once you return the car to the lot, and chances are, neither does the car rental company.
“You may be prompted to ‘trust this computer’ when plugging in your phone,” he says. “It’s best to not trust it.”
What else shouldn’t you trust? The “free” USB charging station at the airport. Plug in your phone or tablet and an infected station can take over your device via something called “juice jacking.” I’m not making this up. Juice jacking is a real thing.
“It’s a potential vulnerability,” says Seth Ruden, a senior fraud consultant at ACI Worldwide, an electronic payment systems company. “Some organizations have demonstrated that juice jacking can access private or sensitive information in a device, while physical access to its port can be one of the most high-value avenues to exploit any weakness or vulnerability the device has.”
Again, no one I know has been juice-jacked, but that doesn’t mean it can’t happen.
“You are at risk. Simple as that,” says Chris Roberts, chief security architect at Acalvio, a developer of advanced threat detection and defense solutions. “Charging stations are nothing more than potential data-harvesting points.”
Scared yet? Well, those two threats pale in comparison to the “free” wireless networks at hotels and airports, according to experts.
“There’s significant risk with using Wi-Fi at airports, hotels and cafes to access the Internet,” says Robert D’Ovidio, an associate professor of criminal justice at Drexel University who specializes in cybercrime. The risk is from poor authentication procedures and unencrypted networks, which can expose your username and password to hackers on the network.
Jerry Irvine, the chief information officer of Prescient Solutions, puts it bluntly: “Do not use public Wi-Fi. Do not configure Wi-Fi networks or Bluetooth to automatically connect to your device.”
Have I heard from any readers who have been a victim of this? No. And as far as I know, none of my personal information shared with my last rental car was swiped by the bad guys.
But see, that’s the nefarious thing about these attacks. They can’t always be traced back to a malicious hacker on the network or in the charging station or on your car rental infotainment system. If your data have been compromised in any way while you’ve traveled, this could be why, but you’ll probably never know.
There is something all of these threats have in common. They’re all “free.” The infotainment system is part of the car. The recharging station is complimentary. And the lobby Wi-Fi is almost always free.
Maybe there’s a broader lesson about the hidden dangers of everything the travel industry claims is free but is not. If you’d rather not hurt your brain thinking about that, you can take steps to avoid these hacks (see below), but perhaps the easiest way is to walk away. To paraphrase Robert Heinlein, there ain’t no such thing as “free.”
How to practice safe connecting
• Use a virtual private network (VPN). A VPN creates a secure encrypted tunnel between your device and a server somewhere on the Internet. That makes it nearly impossible for someone on the same network to eavesdrop on your network traffic. Also, it can mask your physical location. “The added benefit of appearing to still be in the city where you live even when you share something from abroad makes it more difficult for people to pinpoint when you’re home and when you’re out of town,” says Chris Schmidt, the chief guidance officer for Codiscope, a developer of security software.
• Tell your phone to say “no.” Disable location services, Bluetooth and Wi-Fi when possible. Also, think about the permissions associated with third-party apps, which may have access to your microphone, camera and contacts. “If you need to play games on your mobile, then disable Internet access to those apps,” says Darren Hayes, a digital forensics and cybersecurity expert at Pace University.
• Use caution in cars. When renting a car, either manually enter the address into the car’s navigation system or use your own device, but don’t connect to the infotainment system, says Judi Jacobs, founder of the technology education site TheTechWizard.com. “Do not connect your phone via the USB outlet connection in a rental car,” she says. “Use the cigarette lighter, which only charges your device without grabbing data.”