Security and Privacy Analysis on Personal Identifiable Informationfor Connected Commercial Vehicles

Abstract

With many Americans eager to resume travel after prolonged restrictions from the coronavirus pandemic, car rentals are on the rise. According to Auto Rental News, “2021 U.S. Car Rental Revenue Climbs 21% Year-Over-Year” (Brown, 2021). In conjunction with increased car rental, and associated travel, we can expect to see an increase in cyber security and data privacy attacks.

In the digital age, enterprises have a responsibility to protect consumers’ Personally Identifiable Information (PII). As it pertains to rental vehicles, when consumers connect their mobile devices to a rental vehicle’s Entertainment and Infotainment System or utilize the built-in navigation feature, they do so, unbeknownst to themselves that the information from their devices is transferring to the vehicle, where it will remain, unless properly expunged from the system. A large majority of consumers are blissfully unaware that their PII is being stored, and how easy it would be for an adversary to potentially breach their data security and privacy. 

To expand upon this hypothesis, I conducted a further investigation on the subject, by partaking in the rental of three different vehicles, each belonging to a different manufacturer (Nissan, Chrysler, and Maserati), from three different vehicle rental companies (Enterprise, Hertz and Turo). I then, as a consumer, tested my hypothesis to determine if, I was able to easily breach the prior consumers’ data security and privacy by viewing devices that had previously connected to the vehicle, as well as any of the previous consumers’ personal information. The results were undeniable; the PII of the previous consumers is not protected.