Or, What Can You Learn from Past Renters?
Recently, I’ve had to rent cars. When I get into a car, after adjusting the mirrors and seats and such, I always check out what other bluetooth devices were connected and if there is any other info about past drivers. Sometimes, there are business cards, hotel room keys, etc in the cars. In theory, all of this should be cleaned out before I sit down in the driver’s seat, but often enough, they aren’t. Which car rental company doesn’t matter, because I’ve rented from many of them and, over time, the same experience happens.
Your Data Trail: Thank you for sharing!
I’ll guarantee you none of the car rental companies consider the electronics when reseting the car between customers. I can learn phone models used in the car, radio stations, contact lists, who called who, how long they talked, and where the person went from the onboard info systems in the cars. I’ve written about this in the past.
Over the past 4 years, the situation isn’t getting better. Despite my reporting it to every car rental person on checkin, clearly not enough people are reporting nor even concerned about it. I’ve tried to report it to security contacts, but either they didn’t understand or they were only focused on actual attacks on the point of sale systems or websites of the car rental agency. In the cars I rent, I’ve resorted to just resetting the system myself to get rid of my own data trail.
I haven’t posted the details of phone calls gleaned from these systems, but realize every call made through the car is there for future renters to see. This includes phone number, but could also include length of call, number of calls made to each phone number, time of day, and whether the call was outgoing or incoming. Most of the phone numbers in the systems are easy to resolve to people via the Internet.
Since I have the addresses as entered in to the navigation system, it’s pretty easy to map out the trips. Or so I thought. Turns out only Bing Maps lets you map out a 26-point trip using letters for each stop. Google and other mapping sites stop you somewhere between 6 and 10 points. I tried openstreetmap and some other tools, but nothing seemed to really support 30-50 point trips.
These maps are based on the addresses seen in the nav system. They had dates/time associated with them, but I only used them for general guesses between renters.
Part One: Mid-Atlantic Trips
Here’s where my car had traveled. Let’s take this in parts, because that’s what the data suggests. Here’s what seems to be data from three recent renters:
The first part of the trip visits a collision repair shop, and then a number of houses for sale. And then a trip to a museum in Philadelphia and back to more houses for sale.
Possibly another renter, takes the car and heads to Cooperstown NY for the Baseball Hall of Fame and then off to Long Lake Camp. After that, back to Cooperstown, and then to New Hampshire to a resort. And then to an upstate NY airport.
Another renter than takes the car to Connecticut. After visiting a senior living facility, they head off to RI for a weekend. The car is dropped off in CT and sits for a few days, according to the nav system. Or, if someone rented it in between, they didn’t use the nav system nor make calls through the car.
The Y point with a red circle is the switch to the next set of renters.
Part Two: New England Trips
Let’s go further, here are another two renters, or perhaps one long-term renter:
A few more trips around CT, one set of nights to a different bar each night in search of craft brews given the addresses.
And then the car is at Logan Airport in Boston for a week, and then back again around Boston for a few stops.
A trip to Portland, Maine for a mid-week jaunt, and back to the Boston Airport for a short stay.
The trip ends at Logan where I picked up the car for a few days.
- The rental agency should reset the nav/information systems between renters. This sounds simple, but with so many different makes and models, there is no one easy way to do this. As part of cleaning or check-in, the worker will have to manually do it. I suspect someone could automate this process without having to resort to pulling the battery connectors and forcing a reset.
- You as a renter should reset the system on returning it to the agency. Generally, find the Settings menu, and so far, every car has had a ‘factory reset’ which will warn you all call history, navigation destinations and such are wiped. Yes, this is what you want.
Having worked in forensics for a while, don’t think this ‘factory reset’ will actually wipe data from the car. A forensic specialist can probably recover all of it via various tools specific to the model/make of the car. Here’s just one report on the topic. However, at least the next renter won’t have easy access to your trips, calls, and music.