Most people wouldn’t connect their phone to a stranger’s computer. Security experts say don’t do it with a stranger’s car either.
On Monday, the Federal Trade Commission released a warning to car-owners and renters to wipe their vehicle of personal data before selling it. People who fail to take this step could be exposing their phone contacts, mobile app log-in passwords, digital content like music, location information, and even garage door codes.
“Your car is a computer that stores a lot of information about you — just like your smartphone or home computer,” an FTC consumer education specialist said in a blog post. “When you sell or donate your car, that personal data might be accessible to the next owner if you don’t take steps to remove it.”
“Some cars have a factory reset option that will return the settings and data to their original state,” the FTC warned. “But even after a factory reset, you may still have work to do. For example, your old car may still be connected to subscription services like satellite radio, mobile Wi-Fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle.”
That lesson applies to Ubers and Lyfts and all ride-sharing services too, experts say. “Just about every car on the market these days has the ability to sync your phone to its infotainment system,” said Nathan Wenzler, chief security strategist at San Francisco-based security consulting company AsTech. “To accomplish this, these infotainment systems typically copy and store huge amounts of data from your phone on to their local systems in order to make these services faster and easier to use, but it also puts you at risk of having that same information compromised directly from the vehicle itself.”
In other words, be careful before asking your Uber driver to plug your phone in so you can listen to your own music during your ride. This data can be used to access a person’s contacts and, in a worst case scenario, gather more information for an attack, Wenzler said.
Uber has encouraged riders to play music on trips in the past through partnerships with Spotify and Pandora. A privacy spokeswoman for Uber told MarketWatch the company no longer has partnerships with those companies and discourages riders from synchronizing devices with driver’s vehicles.
“There is always a risk when you connect your phone to an unfamiliar device or network, like when you’re using public Wi-Fi at a cafe or a charging station at the airport,” she said. “Only connect to devices and networks that you trust.”
In a rental car, connected devices can reveal where someone lives by saving recent trip data and frequented locations, said George Avetisov chief executive officer of decentralized authentication company HYPR. “Anytime you sync a personal device with a rented device, you’re connecting to something that’s entirely outside of your control,” he said. “A car can tell a person who you know, where you have been, where you live, and quite possible allow access to your home.”
The only way to fully remove the information is to do a factory reset of the vehicle, including satellite radio and other apps, the FTC blog post said. However, users should at least delete their device from the car’s system upon exiting if it’s a rental or Uber vehicle.
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch's free Personal Finance Daily newsletter. Sign up here.
- Thanks to hackers, you might be mining cryptocurrency without realizing it
- 7 ways to keep your smart home from being hacked
- Woman claims hacker used baby monitor to spy on her—here’s how to protect yourself