Data Privacy in Connected Vehicle Infotainment Systems: A Comprehensive Framework for Rental Vehicles

Abstract

"In today’s automotive landscape, the pairing of mobile devices to connected vehicles is the norm, offering consumers a range of benefits, such as hands-free driving and remote vehicle control. Alongside these conveniences, a significant problem has emerged concerning the accumulation of personal identifiable information (PII) on vehicle infotainment systems. This issue becomes particularly concerning in the context of rental vehicles, where consumers frequently connect their mobile devices and often fail to delete their data before returning the vehicle. Consequently, this oversight can expose sensitive PII to subsequent renters, raising concerns about data security and privacy.

The problem addressed by this dissertation is the inadequate protection of PII in connected vehicles, specifically in rental cars, and the lack of automated systems to safeguard this sensitive information. Existing research indicates that renters are typically unaware of the need to manually delete their data or of who holds the responsibility for ensuring data security. This knowledge gap increases the risk of data breaches, as PII such as contact lists, call logs, and navigation history remain accessible to future users of the same vehicle.

To investigate this issue, the research is structured around several key questions: How aware are renters of the risks posed by leaving PII in rental vehicle infotainment systems? Are current privacy practices sufficient to mitigate these risks? Do consumers support the implementation of an automated solution for PII deletion? The study employs a combination of methods, including consumer surveys and hands-on experiments with rental vehicles from three different providers (Enterprise, Hertz, and Turo). The hands-on experiment tested whether personal data from previous renters could be accessed and identified how easily that information could be exploited. The results of our research confirmed that renters neglected to delete their PII from the vehicle’s infotainment systems, leaving sensitive data accessible to subsequent users. The hands-on experiment of rental vehicles demonstrated that it was indeed possible to retrieve personal information from previous renters, underscoring the severity of the privacy risks involved. Our consumer survey further reinforced these findings: while 83.3% of respondents indicated that they valued their personal information highly, the majority were unaware of their responsibility to manually delete their data before returning the vehicle. Additionally, the survey revealed strong support for an automated solution, with 100% of respondents favoring an automated system to mitigate the risks associated with PII retention in rental vehicles.

In response to these findings, this dissertation introduces the Vehicle Inactive Profile Remover (VIPR), an innovative automated solution designed to safeguard PII in rental vehicles. VIPR works by distinguishing between ""Active"" and ""Inactive"" profiles within a vehicle's Bluetooth stack and systematically deletes PII from inactive profiles at regular intervals. This automated approach ensures that sensitive data is removed before the next renter uses the vehicle, mitigating the privacy risks identified in the study. We evaluated VIPR in both real-world rental car environments and a controlled laboratory setting. The solution achieved a 99.5% success rate in removing user profiles, with an average deletion time of less than 4.8 seconds. These results demonstrate VIPR’s effectiveness in protecting PII and ensuring data privacy in connected vehicle systems.

The research presented in this dissertation emphasizes the urgent need for automated data deletion solutions in the rental vehicle market, where PII vulnerabilities are prevalent. The successful implementation of VIPR represents a significant advancement in automotive cybersecurity, offering a practical and scalable solution to protect consumers' personal data in an increasingly interconnected world. By addressing this critical gap, VIPR promotes a safer and more secure experience for vehicle renters and underscores the importance of privacy in the age of connected and autonomous vehicles."