Rental Cars

Are you leaving important bits behind?

 
 

Background

Recently got a chance to rent a big SUV, and while bored I started playing around with the confuser in the dashboard...

Some people won't be surprised to find out that not all (any?) rental companies are wiping the ECUs of their "smart" cars between rentals, so when your devices connect to the car you might be leaving behind info

bt_menu.jpg

Semi-Explored Attack Surface

Looks like the car will talk some USB (great), and write out some info too

Didn't get a chance to get better at USB hax

Didn't get a chance to get better at USB hax

The first time I encountered the option to Save Info to USB, I didn't

Didn't find out what "vehicle info" was here

Didn't find out what "vehicle info" was here

But in a different car I downloaded the data, which turned out to be a file called asisconfig.xml:

Redact everything sensitive, and most of what you don't understand :P

Redact everything sensitive, and most of what you don't understand :P

This file/feature may be related to the MyLink system common in American automobiles.  Some talk on forums appears to indicate this information can be used for restoring system settings after a battery disconnect, but potentially more.  Some public asisconfig.xml information indicates a previous/different version (based on structural differences in the config file) included a section for "apps", and there is speculation the file may be used in the future for diagnostics and/or other functionality:

Address?  On the internet?  Because I didn't see that in the asisconfig.xml

Address?  On the internet?  Because I didn't see that in the asisconfig.xml

As for OSS licenses, yes you might get a link shortener:

x.co is where these FOSS licenses are :-\

x.co is where these FOSS licenses are :-\

Or you might get it all in a very handy "touch down 200+ times" menu:

Scroll wheel mighta worked

Scroll wheel mighta worked

 

Really kinda wanted to call this in:

But no...

But no...

Didn't try the hotspot, sorry

Was curious if it would work with an expired XM travel link...  but not that curious :)

Was curious if it would work with an expired XM travel link...  but not that curious :)

Some Findings Though

Turns out there was some stuff that people (or rather, their "smart" phones) left behind.

Checking the Bluetooth menu got some device names, but nothing else:

bt_pairing.jpg

Apple CarPlay turned up a bit more though:

Note to Ashleigh: Naming your device with your full name kinda makes that info public more than you might want?

Note to Ashleigh: Naming your device with your full name kinda makes that info public more than you might want?

But she is not alone :-\

But she is not alone :-\

So some names of devices / people who previously rented the vehicle.  Not great, but not terrible...  but, voicemail!

Two full "voicemail" numbers in the ECU, which may just be the cell phone number for the devices

Two full "voicemail" numbers in the ECU, which may just be the cell phone number for the devices

So yea, I'm not sure what Jon and Jeff had to do to leave that behind, maybe just call their voicemail after pairing with BT?

But as expected Jon and Jeff are in good company with Christine and Carl and plenty of other people in other rental cars:

 

Friendly reminder, unless this info is out of date and someone fixed the vuln (?), if you don't change your default voicemail settings then knowing your phone number may be all someone needs to access your voicemail, wheeeeeee!

 

So maybe until rental companies get all involved in your privacy, maybe consider the cost/benefit of syncing w/ rental cars if you consider information like this sensitive