▲My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.
The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.
wormslayer6662 hours ago
[-] I opted to try the "beg the manufacturer to turn off the panopticon" approach[1]. The first time I got 2 hours of elevator music before hanging up, the second I went through 3 levels of customer support before they claimed it was done (3 days later). Might have to steal your approach to verify that though...
[1] https://www.mazdausa.com/site/privacy-connectedservices
Have you posted any writeups or other information about how you built this? I'm eyeing a Mazda as a next car (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon), and telemetry seems like one of the few downsides to an otherwise good carmaker. Would be very interested to learn more!
reply▲I see absolutely no reason not to completely unplug the cellular modem. The only thing that would stop me is an annoying error message or warning light in the gauge cluster. My car does not display any of these, but unplugging the modem results in losing the right speaker and microphone, unless a bypass harness is used.
reply▲> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board
And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)
I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.
reply▲andrei_says_2 hours ago
[-] As anonymous as there are Miatas in your neighborhood parking in your driveway.
reply▲It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.
I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.
(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))
If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.
reply▲You think criminalizing guessing URLs is unreasonable.
What about guessing passwords? Should someone be prosecuted for just trying to bruteforce them until one works?
As a strictly logical assertion, I do not agree. Guessing URLs is crafting new types of interactions with a server. The built in surveillance uploader is still only accessing the server in the way it has already been explicitly authorized. Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.
monerozcash58 minutes ago
[-] >(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
If your goal is to deliberately "poison" their data as suggested before, it's kind of obvious that you are knowingly causing the transmission of information in an effort to intentionally cause damage to a protected computer without authorization to cause such damage.
>Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
This has very little to do with the TOS though, unless the TOS specifically states that you are in fact allowed to deliberately damage their systems.
And no, causing damage to a computer does not refer to hackers turning computers into bombs. But rather specifically situations like this.
Any reasonable programmer (a peer) would say an unencrypted system that doesnt validate data is an unprotected system.
reply▲monerozcash2 hours ago
[-] Prosecuting someone for deliberately injecting garbage data into another persons system hardly seems totalitarian.
> You own the device, so anything you do within that device is authorized
You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.
>I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law
FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".
The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
My device. I generate whatever the fuck the data I want. If you log it, kiss my ass.
reply▲If you paid for a device it doesn't mean you have no rules set up on how you can operate it. I'm sure the is an EULA you agreed to.
As anecdote, while buying a new car I signed a statement that I'm not going to resell it to russia.
Sure, I have the same attitude when it comes to the government telling me that I'm not allowed to use drugs. Doesn't mean I'm in the clear from a legal point of view.
However, it's worth clarifying that the important detail isn't generating the data, but sending it. Particularly the clearly stated malicious intent of "poisoning" their data.
This seems like exactly what the lawmakers writing CFAA sought to criminalize, and is frankly much better justified than perhaps the bulk of things they tend to come up with.
>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Doesn't seem exactly unfair to me, even if facing federal charges over silly vandalism is perhaps a bit much. Of course, you'd realistically be facing a fine.
Could you argue the computer was unprotected? No encryption is wild.
reply▲Oh man. Logging insane average speeds and ludicrous acceleration during rush hour.
Deliciously tempting idea.
reply▲idiotsecant26 minutes ago
[-] Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.
reply▲A data scientist will simply filter out impossible data when conducting an analysis
reply▲GuinansEyebrows32 minutes ago
[-] you give a lot of credit to an industry poisoned by the profit motive
reply▲I fear the next version of Miata will be an encrypted CAN like most other cars have moved toAs I understand it, they're required to do that now if they want to sell in the EU. They emphatically do not want anyone tinkering with their cars.
reply▲They don’t want people modifying ADAS systems mostly, and the main requirement is SecOC, which is cryptographic authentication but the message is still plaintext. Basically they don’t want third party modifications able to randomly send the “steer left” message to the steering rack, for example.
reply▲The ADAS systems mandated in Europe are insanely intrusive. I had a few rental cars in Europe this summer and wanted to send them off a cliff. (and I'm not an auto tech luddite, I've had modern cars in the US with autopilot type systems, lane keep, blind spot warning, rear traffic assist radar, forward collision warning, etc. IMO rear traffic assist/FCW/AEB tend to work really well, autopilot pretty well, and lane keep and blind spot silly gimmicks at best).
Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.
It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.
“Lane keep” yanks the wheel dangerously because it incorrectly detects the lane, or because you don’t indicate to pass a pothole on an empty road (which itself would be confusing to other road users)
Forward collision warning has misfired on 2 occasions on me in the last 3 years
The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.
This automation shit should stop, but it won’t.
parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.
> Forward collision warning has misfired on 2 occasions on me in the last 3 years
My Lexus is afraid of a bush behind my garage in the alley. It's on a neighbors property and not really overgrown, but my car refuses to get within about 5 ft of it. Makes backing out a nightmare. I haven't figured out a way to disable it, and have considered just selling this 2025 NX.
I integrated SecOC on some ECU's at work. I hate myself for it. I frigging hate what they're doing with this. I think it's going to make cars less repairable, less modifiable. It's a horrible horrible stupid initiative in the name of "cybersecurity".
reply▲I understand notionally where they were going, but it all sort of went off the deep end somewhere along the line. A concern that someone buying some "mileage blocker" or whatever other shady device off of AliExpress might be vulnerable to the device steering their car into a wall is actually quite a valid one, but of course the solution is some overcomplicated AUTOSAR nightmare that doesn't solve for key provisioning in a way to make modules replaceable.
reply▲RealityVoid36 minutes ago
[-] I have less trust in their good intentions. I think OEM's want to lock down their platforms in order to squeeze extra revenue streams. And I tend to be quite charitable with my interpretations.
As an aside, I checked out your GitHub. Cool projects, the vag flashing tool looks super useful, might actually give it a spin in sive development projects.
Yes, and to do that, CAN must be encrypted. The idea isn't just to secure it from hackers. The idea is to secure it from owners.
reply▲> SecOC, which is cryptographic authentication but the message is still plaintext
reply▲Oh, OK, that's better. I can see what my car is doing, I just can't do anything about it.
reply▲Remove the antennas. Do not give in to the mirage of convenience.
Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.
Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.
TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.
Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
> Did you know Orange dash error lights are non critical?
Your car will happily display an orange light while a bad fuel mixture is poisoning your catalytic converter to the point where it needs replacing to meet any kind of emissions test. Same with other signs of engine stress.
Don't ignore dash lights unless you know what they mean or you're willing to pay the cost of disposing of your car.
Of course many places won't even allow you to disconnect all the antennae as a non-functional TPMS makes your car unroadworthy in various jurisdictions. You could quickly reconnect everything and clear the error codes before testing, but I'm not sure if the hassle is even worth the illusion that of being untraceable.
>TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
All phones nowadays have bluetooth/wifi mac address randomization, so it's basically useless for tracking, not to mention google/apple conscripting every phone into a wardriving network will kill battery life. Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
galleywest2005 hours ago
[-] > Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
"Tire pressure low" is one you should probably check out on a regular basis.
But in exchange for being tracked we've been saved from the scourge of occasionally checking our tire pressure. Why, I'd give up almost anything just to be slightly more comfortable.
reply▲it may be better to code out TPMS anyways. I had a BMW that wouldn't allow you to enter Sport/Sport+ when TPMS light was on, what a drag.
reply▲Yeah that's terrible advice. Learning to ignore safety warnings is an amazing way to wind up stranded or with a destroyed car because you decided to ignore a warning light
reply▲potato37328425 hours ago
[-] The first 100yr of automobiles didn't have TPMS and it was mostly fine.
reply▲I mean if you consider that death rate per mile driven 'mostly fine'
reply▲Check your tire pressures when you get gas, along with your oil and other fluid levels. Eyeball the tires every time you get in the car. These habits are not hard to develop and they will work even when the sensors malfunction (which is not infrequently).
All that these sensor-based systems do is train you to be an inattentive car owner.
Many modern cars have no way to manually check oil or any fluid levels. Only way is to check the reading from the sensor via main screen.
reply▲Throughout my entire life, I don't know if I have ever seen anyone measuring their tire pressure or checking their oil at a gas station. Visually assessing tires can be quite misleading as well - my TPMS indicator was just on, visually it looked like one tire (its pressure was fine), and the tire that was 10psi low looked normal.
Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that. The problem isn't the dash warning lights of the past several decades, it's the built in corporate surveillance hardware of the past single decade (and the corresponding violation of user trust in favor of corporate control).
I don't see it often either, but my government has been very active trying to get people to do bi-monthly tire pressure checks at the very least.
I don't think most people know how to do it, to be honest. Partially because people seem to think reading two pages in a manual is some kind of sisyphean task that no mortal should ever be cursed with.
It's pretty crazy how little people care. Even if you don't care about the safety aspect, keeping your tires inflated well saves you a ton on fuel and tire replacements.
Tire pressure management was one of the striking differences between my experiences in France and in the US.
In France, we'd check tire pressure at gas stations on nice machines that had built in dial gauges and were free.
In the US, I had to use one of those hand gauges and the air pumps needed quarters (in most cases, especially if you weren't also buying gas).
In Portugal now, the gas stations also have free air and pretty good pumps.
Checking oil at once universal full-service gas stations used to be extremely common. Think it pretty much went away in late-70s petroleum shortage in the US. With modern cars, it just doesn't make a lot of sense given any semblance of scheduled maintenance adherence.
I (again) have a low pressure warning on one tire (getting colder in the Northern Hemisphere). It looks fine but I'll get my compressor out tomorrow and make the computer happy. A lot of modern tires can look pretty good even if, as you say, they can be quite a bit below recommended limits.
mylifeandtimes2 hours ago
[-] maybe an age thing? When I was in high school I worked at a gas station where we would pump the gas for customers at the "full service" lane and also check their oil. The game was to upsell people an oil change. Point is, everyone saw people getting their oil checked every time they filled the tank.
And checking tire pressure was a 1x/week thing.
>Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that.
A lot of modern automation is not really automation. A washing machine is automation: it takes a task which would have wasted hours of your day and reduces it down to a few minutes. A lot of modern "automation" doesn't save you any actual time time, but just saves you from being attentive:
- Checking your tire pressure doesn't take much time, but TPMS is a privacy problem and an added maintenance cost that you cannot opt out of.
- A power rear lift gate actually takes _more_ time than just shutting it with your hands.
- Power windows don't go down any more quickly than power windows. The only only benefit here is that you can open all 4 windows simultaneously. However this is a luxury, not something which saves you time. You never _need_ all 4 windows down. So maybe people like it, but it's not like the washing machine that actually saves you labor.
- etc ....
People think that needed to do or attend to anything is wasting time, but often modern automation saves no time whatsoever, and has other downsides. (privacy, maintenance cost, vehicle weight, etc.)
You don’t see people checking tire pressures where you live?
reply▲Frankly? I do. Remote alcohol and drugs from the equation, and driving is an absurdly safe activity. Those intrusive features have very little to do with safety.
reply▲> Remove the antennas. Do not give in to the mirage of convenience.
ERROR: unable to start engine.
Please drink a verification can.
Actually I wonder if cars will just adopt "oh-you-need-anti-theft" like phones do. To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
>Do not give in to the mirage of convenience.
I sympathise. However, being able to start de-icing my car while still in bed at 5:30 on a January morning is a powerful feature. And I'm the kind of person who wraps his tin foil hat no less than 10 layers thick.
Ideally this shouldn't involve the internet, because the car is in wifi range, but what can I do about it?
I have this with my keyfob.
later vehicles "helpfully" removed this in favor of online remote starting (with added telematics)
People are suggesting all over these threads what we can do about it, but we (as a population) aren't. When my 2009 car dies, I'm going to deliberately NOT buy a new trackingmobile, and try to find another 2009 car to keep running. Yea, that means I occasionally need to take 30 seconds to scrape ice off the windshield. Big deal.
reply▲Why 2009? I've been driving the same 2003 Audi TT all my life, never failed me.
reply▲worldsavior5 hours ago
[-] Ok stop with the panicking.
What's wrong with GPS in vehicles? If it's not connected to the internet, there is no issue.
What's wrong with playing music from the phone on Bluetooth or Aux? Did you also know you can ride a horse instead of a car?
Bluetooth and WiFi isn't running if you turned them off. Bluetooth also isn't really used for tracking unless someone is looking for you or you're part of some service like AirTags.
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
What? Worse advice out there regarding cars.
If it's not connected to the internet, there is no issue.It's connected to the Internet. Every car has a SIM card now.
reply▲>It's connected to the Internet. Every car has a SIM card now.
Maybe every new car, but the average car is 13 years old, and the OP made no clarification on whether his advice was for only new cars, or for a 2015 econobox as well.
My car is older than that and came with an embedded SIM card. Quite a few navigation consoles had "live traffic updates" (often in trial format, but sometimes "lifetime") that basically consisted of 2G clients occasionally updating traffic data along planned routes. Not quite bottom of the line at the time, but also not uncommon at that point either. It's probably slightly worse than the dedicated satnav screens people were buying back when the car was new, although neither compares to what a smartphone will expose passively from just being inside of a moving car.
reply▲Probably the only good thing about this country shutting down the 2G and 3G networks now is all the spy devices that will go permanently offline.
reply▲On the one hand, they won't be able to communicate with the home base anymore. On the other hand, they'll light up the map like a Christmas tree if someone ever turns on a stingray in their vicinity.
reply▲Most people don't know, and will never know whether their car is connected to the internet, so it's better to assume it is unless you have specific information. The app or phone you connect to the car could also be a major exfil point of this data.
reply▲I won't mince words. This is criminal and should be dealt with that way. It is obvious I don't want my information collected and sold. I make it clear every reasonable chance I get. This goes beyond abuse of my privacy, this is digital assault and the company officers that allowed these 'features' should be thrown in jail for it.
reply▲Amazingly but perhaps not surprisingly, cars in the EU do similar amounts of spying on you, but the EU is silent. Car manufacturers pretty much run the EU.
reply▲as a professional diesel mechanic for a small chain of midwest shops, this "telematics" feature is on long-haul trucks as well as tractors (john deer is notorious for using it to send mail marketing about services.)
generally its not hard to disable.
- identify the telematics module in your car
- pull the fuse (not always an option, sometimes this disables bluetooth)
- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.
I tried this with a wifi setup on a car charger. I connected a 50-ohm dummy load in place of the antenna using the mmcx connector.
It didn't work - there was an on-module antenna that it switched to. Might not have worked as well, but it did work and the wifi access point still showed up.
On the other hand, some cars have a self-contained telematics module like you said and you can just unpower the whole thing.
I remember looking at a ford owners manual for a 2019. The fusebox section had a fuse with description "Telematics control unit - modem." I assume you can just pull that fuse.
I found the vehicleprivacyreport.com site awfully misleading. The "Vehicle Privacy Label" only lists what the manufacturer's current policies are, not what applies to my vehicle. It makes it seem like Toyota is somehow remotely collecting and sharings tons of information about my...2007 Prius. But this car came out in 2006, well before people assumed easy internet connectivity everywhere. Shy of having physical access to my vehicle, they can't read anything, but it's not easy to find that explanation on the site.
reply▲exhilaration5 hours ago
[-] Disabling the hardware can be really hard, my 2025 Toyota Sienna is always connected. You can't just pull a fuse or rip out an antenna, I have to take the entire dashboard apart to reach the Data Communication Module (DCM) module. If anyone's curious what that looks like, it's a little bit easier on the Toyota Tacoma, here are some pictures of the process:
https://www.tacoma4g.com/forum/threads/disabling-dcm-telemat...It's complex enough that I haven't done it yet in my Sienna, but I plan to!
ProllyInfamous4 hours ago
[-] On a 2021 Camry there is an below-dash fuse labeled "DCM" which you can remove (and it does disable OnStar/telemetry, but not sat.radio[0]) — it also disables one of the speakers (used for phone calls), which there is a bypass to resolve (but it still requires removing infotainment, so at that point just unplug it there.?!).
[0] It was my understanding that, like GPS-receivers, Sirius/XM was one-way streaming, only..?
There are GPS antennas that land on that DCM and the data from that is forwarded over carplay/android auto. Phones fall back to their onboard GPS but it's a much worse experience than we're accustomed to. If you share the car with someone expect complaints. Pulling the cell antenna(s) is the most elegant solution. People shouldn't be afraid of a little work.
reply▲I have an electric car and if I want to remotely turn on charging, it won’t allow me unless the full data sharing option is enabled. Full data as in your driving data like a black box logger. I then have to go in the car, enable it, then I can remotely turn on charging. I have to remember to opt-out again later. Ironic I know because I can turn on charging from within the cabin without having to enable any of the data collection. What an inconvenient experience.
reply▲mixmastamyk2 hours ago
[-] What does "remotely turn on charging" mean? Doesn't charge when you plug in?
reply▲There are a few options. You can plug it in your garage and charging can automatically begin due to a set schedule, like after midnight, or you can initiate it on demand using the cabin controls or using your iPhone as a remote.
reply▲blackjack_49 minutes ago
[-] I ripped the wifi / onstar and gps antennas out of my 2020 Chevy Bolt the day after I bought it. Took me a couple of hours since the access was awful, but that's one time pain. No issues since, and I have a phone I use to drive the head unit so there was no need for those antennas to even exist.
reply▲I tried this once.
I got a tesla home charger and it had a unnecessary wifi AP that kept showing up in my house. So I figured, I would stop this.
Opened it up, and disconnected the wifi antenna mmcx connector.
Nope, seemed when unplugged, it would switch to an onboard antenna for the wifi module.
so I reconnected a dummy load antenna to the wifi module.
and it still used the onboard antenna.
at that point, I gave up.
I think there might have been a possibility of downgrading the firmware to an older version that could disable wifi, but I didn't try to find it.
I believe this kind of thing happens with onboard cellular, wifi and bt. They are more resilient to degraded or disconnected antennas than you think.
I'd like to see a website that ranks vehicles by make and model. That would influence shopping behaviors, and consumers would influence manufacturer behaviors.
reply▲Nothing you can realistically do about it. In America car ownership for most people is mandatory. It’s unfortunate we don’t have alternatives if you disagree with car manufacturers extra “features”.
reply▲The alternative is to be aware of this abuse and unplug the cellular modem. It requires more or less effort depending on the car, but it can and should be done.
reply▲I think it's wild that people spend their own money to surveil themselves every second they're near their car. Maybe I've seen too much lawyering on TV and in movies, but if I'm in a collision with you, I'm definitely asking the cops to pull the SD card from your dashcam.
Whenever I point out I think this self-surveillance is crazy, the response ends up sounding something like "oh, no big, if I think I did something wrong I'll just hide the evidence and lie to the police and say it doesn't work", which sure doesn't sit right with me.
Why do you think potentially self-incriminating self-surveillance is "crazy" when you also think lying to the cops and other involved parties about what happened is bad? If you believe it's important to tell the truth in these situations, you should have no problem providing your own recordings of a collision, regardless of who is at fault.
Or is your point just about the cost of the dashcam being "crazy"? In that case, hypothetically, what if your insurance company cut you a check to buy a dashcam of your own choice and install it on your car?
I thought about getting a traditional navigator to avoid even relying on phone navigation.
Well, of course all the Garmins and Tomtoms available now have "built-in wifi for updates" and often BT for phone notifications too. Sure, I could just not configure either but what if I want a navigator _without any radios_ and with controlled updates via SD card.
Maybe a dedicated Android phone in the car with offline OpenStreetMaps installed and airplane mode on is more realistic. Or some old 2nd hand navi that's still updateable.
CommenterPerson33 minutes ago
[-] I use an older Garmin, purchased from ebay. Works fine, updated maps via a laptop recently. Needed an extra SD cards for space.
reply▲You could use a GrapheneOS phone without SIM and OSMand for that.
reply▲I wonder what the extremely rich do to get a car that isn’t a security risk? I’ve heard you can throw money at high end car dealerships to disable spying, but I wonder what the internal process is.
reply▲It's easier than that, you can remove the cellular modem. Dealers won't generally accept to make this mod, but any independent shop should be able to. There are also plenty of videos on YT to DIY.
reply▲mixmastamyk2 hours ago
[-] This will probably be a thing, but it's not clear that folks are cognizant of the risks yet.
reply▲I haven't heard this. Do you have any examples?
reply▲Not driving seems to have worked pretty well thus far.
reply▲Here is something else you can do about it. By an older low mileage car. If we all did that the manufacturers would change tack soon enough
reply▲I did do this, but I also want a reasonable modern and safe car and in the EU, since 2018, that means a car with eCall. I have a 2017 that I will keep going as long as is economical, but after that, it will be nearly impossible to avoid these systems.
reply▲The idea that a 20 year old car is unsafe is auto industry FUD. Yes, there have been great safety advances since the 1970s and 1980s. They've kind of tapered off though. I would absolutely trust my family's lives in any year 2000+ vehicle.
reply▲Airbag and crumple zone safety requirements for crashes that aren't head-on are much more recent than the 2000s. Many car makers designed their cars to pass those, but will leave you dead or worse if you get T-boned.
ABS wasn't even a requirement in the EU until 2004, and American cars could be sold without ABS all the way until 2012, when traction control was also made mandatory (which the EU then also followed).
Things like the slightly-angled side pole crash test was only added to the Euro NCAP in 2015 and was updated five years later to make it a bit more realistic, though cars still woefully fail in many real-life scenarios.
I wouldn't really consider a car "safe" unless it passes the ~2015 requirements for car safety well. A well-designed car full of optional safety features from the ~2010s is probably also safe, but I wouldn't count on it unless you've done research into it.
I believe Volvo has had a reputation of being ahead of the curve with these kinds of crash safety tests, but even they had to improve over time.
Of course, just because it wasn't a requirement to have ABS, doesn't mean your car doesn't have it...
reply▲closewith55 minutes ago
[-] > I would absolutely trust my family's lives in any year 2000+ vehicle.
I work partly in prehospital emergency medicine and I wouldn't.
I already feel uneasy with our 2017 EuroNCAP 5 star SUV due to the improvements since then, in particular AEB and increased structural crash-protection, which greatly change the injury profiles of accidents.
> The first thing drivers should do is be aware of what data their car is collecting
> You can opt out
lol
this makes it seem so simple.
I think
- you will never be aware of what data is collected - they want to collect more data and never disclose it
- you will never be able to opt-out. Even if you disconnect from cellular, at service time they will just download what is there.
- car manufacturers will use any and all data to their benefit
You know, here's an interesting story I remember reading:
I will give you a story - buddy owns a shop - buys new M5 - he went out joyriding - warped a rotor - he said it was not from him so he tried a warranty service - BMW printed a page that his car recorded. It had snapped a pic of his face and sent all the data on speed, location, etc every bit of data you can think of to the dealer and his insurance company. He sold the car. That was years ago. Ask any custom tuner today if they can touch a 22 BMW. Nope. It will disable the car if you try and get into the CPU to tune it. This is where the industry is heading
from: https://www.fordtremor.com/threads/disabling-the-modem-pulli...
It wouldn’t be surprising if cars also record audio of conversations to use for ad targeting. It has already been conclusively shown that TV companies have done this.
reply▲Cars, your TV, your phone, everything is fucking spying on you. At this moment I am more interested in how I generate a tsunami of more data about me to the powers that be to drown them in a deluge of irrelevant bits.
reply▲Yes, and that's very sad. However the solutions are pretty obvious:
Car -> unplug the cellular modem (more or less easy)
TV -> used as dumb monitor with a Linux HTPC
Phone -> GrapheneOS
PC -> Linux
Social media -> /dev/null
Email/DNS/cloud -> my own
The real issue is that most people are not aware of these issues and may even (unintentionally) compromise your own privacy by posting information or pictures of you to Facebook or other similar places.
Is all of this data collection from the driving aids actually us doing R&D for their autonomous car projects?
reply▲people participating as beta testers with no way to opt out is absolutely the norm now.
from video games to software to “self-driving” cars, we’re all unpaid beta testers for unfinished and often unsafe products.
The problem is that with Flock, you’re basically being tracked incessantly anyways, so who cares if the automaker also does it?
reply▲We need to resist this stuff or else there will be Flock, stalker cars, and some other new nightmare they excuse by saying “well we’re already watching…”. Can’t let ourselves accept this is normal!
reply▲daft_pink22 minutes ago
[-] How do you resist automated license plate readers? Not having license plates doesn't seem practical.
reply▲That's the slippery slope of shrugging your shoulders.
reply▲IIRC, Massachusetts passed a right-to-repair law a few years ago. Based upon the text of the law, all new cars purchased there have the spying disabled because they did not want to give up their proprietary info.
There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.
So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?
Theoretically, that should be a catch-22, right?
How would they know you're no longer in Massachusetts, without the spying enabled while within Massachusetts?
Because "spying" in this case means "sending data to the mothership."
It doesn't mean "the car's gps is disabled"
Perhaps. But what if a person living in Massachusetts travels to another state?
I found this when looking into it more: https://arstechnica.com/cars/2023/06/feds-tell-automakers-no...
"Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently,” and that “open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.”
Faced with this dilemma, it’s quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same."
I went to Carvana to get some idea on what my car might be worth. I gave them the license plate, and it gave me a questionnaire about specific trim and options along with asking about the current mileage. I couldn't remember the exact figure so I guessed rounded to the thousand. The app complained and wouldn't take it as they knew the mileage which was some 150ish miles more. Apparently my car has reported the mileage last time I drive it, which has been about an hour before.
Carvana knew exactly how many miles I had driven within an hour of me driving my car.
So why did they have you fill in that field then?
reply▲Is there anything we can do about it short of avoiding new cars? Our legislators have proven unwilling to pass real privacy laws.
reply▲Yes - remove the telematics radio and GPS antennas. They are usually in the overhead console area around/behind the lighting and mirror controls.
In BMWs, the gps antenna is behind the upper lights, the telematics and V2V antenna is in the sharkfin(unplug it from underneath the headliner)
Giving car companies your money (and then modifying your car) is still rewarding car companies for their bad behavior. We really need to stop buying new cars and somehow make it clear that telematics are the reason, but it's never going to happen. Not enough people care, and of those who care, not enough of them care enough to stop buying these cars.
reply▲But what's the point if you're just going to use Android Auto or Apple's car-thing instead? You're just letting some other company invade your privacy.
reply▲Proofread05922 hours ago
[-] Consent and convenience. When I use google maps, I am trading my privacy for accurate directions and traffic times. When I buy a car that sells my location, and I get nothing in return, I feel like the deal is inequitable.
reply▲OsmAnd works fine in Android Auto with WiFi and mobile data turned off. Sygic does too. I believe TomTom also sells navigation apps that will work fine under these conditions.
I use Android Auto mostly because I don't trust manufacturers of car components to maintain their software and to put more than bargain bin SoCs in their infotainment consoles. There's no need for your Android phone to have a connection to the outside world if all you're using it for is locally installed apps.
Assuming things much? It's actually totally reasonable to opt out of both of those, too.
Then on the other hand, who cares about those when your car is already tracking you? /s That kind of helpless reasoning needs to die.
In my BYD Seal, I removed the SIM card that's easily accessible from inside the armrest compartment.
reply▲markus_zhang5 hours ago
[-] Maybe there is a way to pollute the data? At least it makes data cleaning more expensive.
reply▲Ride a bike.
reply▲I've never had a driver's licence, lived in a zillion countries; don't think I could do that in America though.
reply▲Over half of New York City households are car-free. That jumps to 3/4 in Manhattan.
Millions of American households don’t have a car, but you rarely hear about it as a viable option.
I would argue that even in NYC, having a car is necessary if you ever want to leave NYC (and you will want to).
reply▲Because as soon as you leave a major metropolitan area, not having a car is almost a nonstarter.
reply▲It's the same in Europe, but people pushing an agenda don't talk about that either.
reply▲The US takes this to an entirely different level.
In places like Vegas, even on days with great weather, trying to WALK 2-3km in residential areas is a nightmare.
Over 100 million people live in just the top 20 metro areas alone. It's hardly an edge case.
reply▲And _not_ living in one of the top 20 metro areas is also hardly an edge case.
reply▲And even in most of those metros (OK. Leave aside Manhattan), not having a car tends to imply a lot of lifestyle choices in terms of activities, visiting friends outside of the metro, etc.
There are certainly people who are OK with living like they did in their urban school for a few years after graduation. But that's not a long-term solution for most people.
calvinmorrison4 hours ago
[-] "the best public transit in the densest US city barely manages to reach 50% of car-free lifestyle" is what you're leaving out.
reply▲Not possible when things are 10+ mile apart and a general grocery run takes 3+ hours and you can't carry more than a backpack, so you have to do it multiple times a week.
reply▲The US is ripe for an e-bike revolution. The distances, the wide roads with plenty of room for bike lanes, and the revulsion against things like Flock...
Unfortunately it's as likely as this being the year of the Linux desktop because Windows 11.
throwaway20275 hours ago
[-] No. Enjoy the ride.
reply▲Defeatist and cowardly.
reply▲randallsquared2 hours ago
[-] Given that GP is accepting a level of additional risk which you profess not to be willing to accept, perhaps "cowardly" is not the correct adjective.
reply▲Moving to the EU becomes a more appealing option every day.
reply▲Greetz from Germany, we have Chat Control now even though we've been trying to reject it for at least 3 years.
Autocracy is just everywhere these days, Noah get the boat.
The Chat Control problem isn't nearly as final as some news sources try to brand it. They were running up against deadlines and submitted their work knowing statistically their proposal would get shot down based on existing voting rounds.
I, too, would rather see this bullshit die in committee before reaching the next stage, but this bullshit can still be stopped.
No panacea here! Better in some points. In general privacy. OTOH many things are not afvancing.
reply▲In the EU, eCall is mandatory and disabling it fails most roadworthiness checks and voids most insurance policies, so it doesn't help much.
Also, while the EU does (for now) have stronger privacy protections for citizens against corporate interests, the opposite is true in most EU countries for Government surveillance.
While eCall has some weak privacy protections (it's open to all the standard cellular network surveillance lawful in each country), it also means you cannot disable the vehicle's modem in most (maybe all) EU countries with failing roadworthiness checks and insurance policies.
reply▲eCall mustn't be active until an accident occurs. The lawful interception lobby tried hard to turn every car into a free data point they could sell to the government, but their efforts have failed.
Last I heard they've shifted their efforts to making remote activation of on-board cameras part of the 5/6G smart car bullshit (which will of course be part of road safety requirments not long after).
No, that's not correct. The eCall spec requires self-checks that include registering with the network on at least every ignition.
However, more importantly, it means you can't lawfully disable the modem that the manufacturer uses for its own telemetry.
constantcrying2 hours ago
[-] How do you write an article about this and not mention the GDPR or EU privacy laws?
>"It’s hard to figure out exactly how much data a modern car is collecting on you"
You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".
BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.
Mozilla's concentrated efforts took a while, they're right that it's hard to figure out exactly what car manufacturers are doing. Unless you're willing to sue a bunch of them, plain GDPR requests won't be enough to get this information. Companies will happily lie or declare information collected as "non-personal" or "trade secrets" and if they're smart enough about the way they process their data they can probably convince a judge that the end result isn't personal enough that exposing their trade secrets weighs up against the GDPR.
There's no way even a large news corporation is going to buy every model car from every brand that comes out in a year to get the legal rights to demand data, let alone pursue these data requests in court. Renting cars may be easier, but then your contract is with the rental company and they're responsible for getting you the information you require, and after the first three PII requests you're not going to be renting from them any time soon.
I'm not saying they couldn't do a deeper dive with more detailed research, but it's not an easy task to evaluate an industry like this. All they'll be able to produce is general statements about a limited set of car models that'll quickly be outdated once the next software update comes out.
No doubt about this one. But, how much are the ubiquitous ride-for-hire e-scooters spying on you, and everyone else on the street?
reply▲reply▲The even worse part of Flock isn't that they cooperate with the government, it's that there is(or was) basically no security in the service. Cops from one state can/could use flock services from other states. A few cops got caught stalking via Flock.
Flock takes the "do nothing until forced to" mentality.
Enough to make sure the kids won't undercut the cartel this time around.
reply▲AtlasBarfed5 hours ago
[-] It's where we are. Everything everywhere is collecting data and spying.
If it exists in a database, then the government has access to that database if it ever wants to legally or otherwise. It's been like that since 9:11 and probably before.
All we need now is for the right person to walk in and turn the key. We're lucky that Donald Trump is probably too stupid to understand what he's got under his thumb.
He's a useful president surrounded by smarter people who will figure out ways to use this data rather than sit around tweeting all day.
reply▲A 2013 Chevy Volt has a camera on the dashboard pointed at the driver. The entertainment dashboard has a dozen communication options, including those for safety? Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized? Was it automakers emboldened by the acceptance of cell phone central record keeping?
reply▲potato37328425 hours ago
[-] "Safety" is a magic word like "god" was a thousand years ago. If you say it just right you can manufacture an excuse to do all sorts of stuff that'll clearly lead to bad stuff if left to run.
They undoubtably said things like "if it saves even one person from falling asleep at the wheel it's worth it" or something along those lines.
this is still a technology advancement... what if smartphone usage or asleep safely stops the car? what if this run locally? or what if it's linked to public entities that will add penalty points to your license?
as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
potato37328424 hours ago
[-] >as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
What a great illustration of the sort of selfish opinions that people like to peddle under the guise of perceived common good.
Are you willing to have your bike brakes linked up with GPS and red light signals? It's in the name of safety and progress after all.
in a city that doesn't produce even 1/25 of microplastic thousand kilos vehicles produce? because that also has an impact on marine ecosystems, by the way, cars are linked as one of the highest if not the, pollutants of microplastic. in a city that doesn't have air pollution linked towards a bunch of disease? in a city that doesn't have noise pollution that also has a bazinga of negative impact?
are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
edit: i would even go further and hope personal vehicles production is ceased and their circulation becomes a crime for citizens on non-legal or non essential services duties. i would live perfectly fine in a city without those but who controls the speed of my bicycle on cycle paths or that lock my brakes if i try to cycle high
You didn't answer his question: Would you be willing to have your bicycle brakes linked up with GPS and red light signals? Or loaded down with sensors monitoring and correcting your bicycling activity for your own safety?
reply▲Even just cycle number plates.
reply▲> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
An excellent demonstration of "cyclebrain syndrome", the urban twin to suburbia's "carbrain syndrome".
> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation?
Translation: I am aware of cyclists' ubiquitous poor behavior on the roads but will reach for any justification to shift responsibility to someone else. "Drivers wouldn't be running red lights if you just added a couple more lanes, bro."
> or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch?
Translation: And when cyclists' poor behavior causes a fatal collision with a car, nobody cares about the damaged property. Or the mental anguish, or the collisions caused by narrowly avoiding killing an errant cyclist (who survives, oblivious, thanks to the driver's quick action choosing a more costly crash over a "mild scratch" that kills the cyclist).
> or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
Translation: I don't give a shit about killing/injuring pedestrians any more than car drivers do. I only care about collisions with things that are about the size of my vehicle or bigger. And if those other things are bigger than my vehicle--I want them banned! That way I reduce the risk to me, which is what I really care about, and who cares what happens to anything smaller than me?
the_sleaze_2 hours ago
[-] I don't totally disagree.
The USA was designed by Ford motor company, for cars, by cars. That was a mistake.
> Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized?
[laughs in unhinged zealot]
SilverElfin5 hours ago
[-] The problem is a lot of the features of these cars require you to opt into giving your privacy away. And when you’re shopping it’s not clear where that line is.
reply▲calvinmorrison4 hours ago
[-] nothing. And banning ALPR wont fix anything either. All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system. you don't even need a camera, just a radio receiver.
reply▲Checked how to receive those with SDR. Turns out they are very low power and you need to basically touch the tire. Also the transmit in minute intervals. Bit exactly a a smoking gun in terms of mass surveillance.
reply▲TPMS doesn't need to be unencrypted like that, although many car manufacturers do like to save a buck.
If you get a car old enough, you won't need to worry about TPMS (but that car will not have been tested against recent crash test scenarios).
TPMS is over the air, each sesnor has a 32 bit unique ID. you have 4 per car... its easy to identify
reply▲> banning ALPR wont fix anything either.
Ideally the implementation would be immaterial to a ban. The ban (or more likely first, warrant requirement similar to cell data) would be on the tracking database, not the details of how the tracking was accomplished.
ErroneousBosh2 hours ago
[-] > All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system.
Mine doesn't.
do you have some sort of indirect tire pressure checking like wheel speed?
reply▲so ya!
My house is fairly close((125') to a rural "highway", and only internet here is mobile data that my phone shares with other devices and mornings(anytime) my older desktop with 2.5 ghz wifi gets bumped off with the passing of every car that has glaring supper white headlights,but, not the ones running yellow incandecents, whatever rf signal is comming of these things must be barely, or completly illegal, and could obviously be tracked in any number of ways, so not so much bieng spied on, as just flat out trasmitting everything you do in ridiculously fine grained detail.
thepasswordapp5 hours ago
[-] The car data collection story is concerning, but it's part of a broader pattern: credentials and personal data are scattered across dozens of services we interact with daily.
The automotive example shows how even "non-tech" products now collect and transmit data. Each service creates another attack surface, another set of credentials to manage, another potential breach vector.
What's frustrating is that breach response still falls on individuals. When one of these services gets compromised, it's users who have to scramble to change passwords across potentially hundreds of connected accounts. The "change your password" advice is good but wildly impractical at scale.
I worked on the data platform at a smaller car co, and there were tight controls around getting access to precise geo data, and there were strong privacy advocates at higher levels. Wasn’t a perfect system, but “spying” would be far from what I saw
reply