“Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)”
Such a statement about not selling data can be very misleading, because the essential statement of saying “we do not share your location data” does not seem to have been made! Please, let us stop falling for the trick of companies saying that they do not sell our data as somehow equating to them respecting our privacy, because it is not an equivalence.
“While we worried that our doorbells and watches that connect to the Internet
might be[are] spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla’s report reads.“People are being tracked in ways that they have no idea are happening.”
“the minute you hook up your phone to Bluetooth, it automatically downloads all the information off your phone, which is sent back to the vehicle manufacturer.”
“if you want to protect the data on your phone, don’t connect it to the car.”
I assume, “does not sell location data,” is like the government which “does not sell laws,” but ‘our 884 lobbying partners’ can have influence.
the minute you hook up your phone to Bluetooth, it automatically downloads all the information off your phone
But this I’m skeptical of. What data does it get from the phone? Bluetooth you can allow it to have your call history, right? And maybe contacts? At least you can choose, I think?
Good to know if I ever need to find out where my lesbian cousin is.
Remember when hyundais could be unlocked with just a usb cable and a phone? And hyundai wanted people to pay for the fix after breaking into hyundais became a trend on tiktok.
It is to see even og jap brand enshitifying…
Looking at your Honda and Toyota
This data mining business bullshit should be illegal. Their job is to make cheap and reliabt cars. Why are they selling my data to big tech?
Their job is literally to do things that make company profits. What fantasy land are you talking about? And what do I need to take to go there??
Is that what they told you in “college”
Nobody’s mentioned that the vulnerability was “immediately” fixed (within 24h according to a comment on a related post in the cybersecurity community). Like, the fact that this is even possible to begin with is obviously bullshit, and makes me wish I’d ripped the starlink box out of my car, but this is not the rampant and actively exploited thing that the headline would have me believe it is.
Someone is going to exploit this to make a great lesbian dating app
We should all start asking around our local auto shops that handle software and ask if they disable gps or internet services.
It’s not illegal to modify your own vehicle (yet) so jailbreaking these shitty cars would be an awesome service.
I doubt there would be any auto shops that can reliably deal with software side elements that aren’t the dealership, and the dealership would refuse.
Car manufacturers are required by law to offer the same tools that dealers use for independent repair shops to repair their vehicles.
Some cars are more programmable than others. BMWs for example you can change pretty much anything about the car. But most cars aren’t as modifiable as them.
I doubt car manufacturers offer the ability to jailbreak their car OS to independent repair shops.
You’re looking for a hacker, not a dude who changes oil.
True, much easier to remove the antennas and SIM cards.
Until you find out the cars won’t start without them :(
We’re in a scary new world… I’m glad I’m old with no kids and not in great health.
It’s so frustrating that if you buy a modern car you have to give up any semblance of privacy
I appreciate my 12 yr old car for this reason. Also, physical buttons I can hit without taking my eyes off the road
My 2004 was the newest car I’d had when I bought it in 2018. I don’t plan on ever buying anything newer.
My 2021 Seat Leon has this idiotic panel on the semi underside of the dash on the left side of the steering wheel.
It controls the headlight modes, fog lights, and, most annoyingly, front and rear de-mist, all controlled by touch buttons.
So if you are driving and the windows are fogging up for some reason, you need to take your eyes off the road and carefully touch only the two buttons for de-misting.
I counter the privacy crap with a constant stream of podcasts when I drive…
2012 prius-c, physical air-conditioning temp knob, physical buttons for everything. Added CarPlay receiver, and it’s the perfect vehicle. No electronic “syncing” to be done. Just works.
I like the one that sells your data about your sexual orientation, lol. It’s just so beyond the pale these days.
That was Nissan. I don’t think that it was ever established that they were, just that their click-through privacy agreement had the consumer explicitly give them the right to do so.
kagis
They apparently say that they put it in there because the data that they did collect would permit inferring sexual orientation (like, I assume that if they’re harvesting location data and someone is parking outside gay bars, it’s probably possible to data-mine that).
https://nypost.com/2023/09/06/nissan-kia-collect-data-about-drivers-sexual-activity/
On Nissan’s official web page outlining its privacy policy, the Japan-based company said that it collects drivers’ “sensitive personal information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.”
“Nissan does not knowingly collect or disclose consumer information on sexual activity or sexual orientation,” a company spokesperson told The Post.
“Some state laws require us to account for inadvertent data collection or information that could be inferred from other data, such as geolocation.”
Yep. I’m stuck driving cars from the mid-2000s at the latest because it’s a deal-breaker for me.
I’d love to have an electric car, but because they’re all newer than that (except for some really rare compliance/fleet-only cars from the '90s with NiMH batteries, like the Ford Ranger and first-gen RAV4), I’d have to convert an ICE car to electric myself.
Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found that Curry’s mother’s Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees’ passwords simply by guessing their email address, which gave them the ability to take over any employee’s account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user’s browser, not on Subaru’s server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.
Yeah, this kinda bothers me with computer security in general. So, the above is really poor design, right? But that emerges from the following:
-
Writing secure code is hard. Writing bug-free code in general is hard, haven’t even solved that one yet, but specifically for security bugs you have someone down the line potentially actively trying to exploit the code.
-
It’s often not very immediately visible to anyone how actually secure code code is. Not to customers, not to people at the company using the code, and sometimes not even to the code’s author. It’s not even very easy to quantify security – I mean, there are attempts to do things like security certification of products, but…they’re all kind of limited.
-
Cost – and thus limitations on time expended and the knowledge base of whoever you have working on the thing – is always going to be present. That’s very much going to be visible to the company. Insecure code is cheaper to write than secure code.
In general, if you can’t evaluate something, it’s probably not going to be very good, because it won’t be taken into account in purchasing decisions. If a consumer buys a car, they can realistically evaluate its 0-60 time or the trunk space it has. But they cannot realistically evaluate how secure the protection of their data is. And it’s kinda hard to evaluate how secure code is. Even if you look at a history of exploits (software package X has had more reported security issues than software package Y), different code gets different levels of scrutiny.
You can disincentivize it via market regulation with fines. But that’s got its own set of issues, like encouraging companies not to report actual problems, where they can get away with it. And it’s not totally clear to me that companies are really able to effectively evaluate the security of the code they have.
And I’ve not been getting more comfortable with this over time, as compromises have gotten worse and worse.
thinks
Maybe do something like we have with whistleblower rewards.
https://www.whistleblowers.org/whistleblower-protections-and-rewards/
- The False Claims Act, which requires payment to whistleblowers of between 15 and 30 percent of the government’s monetary sanctions collected if they assist with prosecution of fraud in connection with government contracting and other government programs;
- The Dodd-Frank Act, which requires payment to whistleblowers of between 10 percent and 30 percent of monetary sanctions collected if they assist with prosecution of securities and commodities fraud; and
- The IRS whistleblower law, which requires payment to whistleblowers of 15 to 30 percent of monetary sanctions collected if they assist with prosecution of tax fraud.
So, okay. Say we set something up where fines for having security flaws exposing certain data or providing access to certain controls exist, and white hat hackers get a mandatory N percent of that fine if they report it to the appropriate government agency. That creates an incentive to have an unaffiliated third party looking for problems. That’s a more-antagonistic relationship with the target than normally currently exists – today, we just expect white hats to report bugs for reputation or maybe, for companies that have it, for a reporting reward. This shifts things so that you have a bunch of people effectively working for the government. But it’s also a market-based approach – the government’s just setting incentives.
Because otherwise, you have the incentives set for the company involved not to care all that much, and the hackers out there to go do black hat stuff, things like ransomware and espionage.
I’d imagine that it’d also be possible for an insurance market for covering fines of this sort to show up and for them to develop and mandate their own best practices for customers.
The status quo for computer security is just horrendous, and as more data is logged and computers become increasingly present everywhere, the issue is only going to get worse. If not this, then something else really does need to change.
-
This just makes me glad I removed the starlink box from my outback the first month I got the car.
If anyone wants to do the same in my 2018 (most gen 5s should be the same) you remove the radio and the starlink box is inside it. Removing the box breaks your front speakers and microphone. A simple passive pigtail will fix the speakers, but the microphone needs power. I found a guy online who made the active adapter so it was purely plug and play.
To anyone who didn’t read the article and was confused like me, apparently starlink is Subaru’s remote car security feature.
Apparently they capitalize it, so the article author kinda screwed it up:
https://en.wikipedia.org/wiki/Starlink_(disambiguation)
STARLINK, a brand of automotive connectivity systems by Subaru
That wouldn’t help me tbh
