Modern cars are spying on you. Here's what you can do about it
(apnews.com)323 points by MilnerRoute 3 days ago
323 points by MilnerRoute 3 days ago
I opted to try the "beg the manufacturer to turn off the panopticon" approach[1]. The first time I got 2 hours of elevator music before hanging up, the second I went through 3 levels of customer support before they claimed it was done (3 days later). Might have to steal your approach to verify that though...
Have you posted any writeups or other information about how you built this? I'm eyeing a Mazda as a next car (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon), and telemetry seems like one of the few downsides to an otherwise good carmaker. Would be very interested to learn more!
> (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon)
I don't know much about automotive safety, but has much actually changed since 2014 in terms of safety standards? I had thought that by the 2010s, basically everyone big had already figured out how to build a relatively safe car from a structural standpoint. Or are you only talking about electronic assistive features, like proximity sensors or lane assist?
I see absolutely no reason not to completely unplug the cellular modem. The only thing that would stop me is an annoying error message or warning light in the gauge cluster. My car does not display any of these, but unplugging the modem results in losing the right speaker and microphone, unless a bypass harness is used.
The modem is usually in the sharkfin with the XM radio chipset and GPS. If you can unplug it at the sharkfin that's usually the best course of action. Some cars may bark at you, but mine just says it can't detect GPS if I attempt to use it (which I never use anyway).
Wouldn't it be better to connect resistive pigtails to the antenna connectors on the board? A little more work to get to, but less risk to damaging paint and weather seals, and would do a better job preventing signal leakage. I'm no expert on such things, but will definitely be looking at something like that for the next car I buy.
> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board
And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)
I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.
As anonymous as there are Miatas in your neighborhood parking in your driveway.
It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.
I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.
(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))
Oh man. Logging insane average speeds and ludicrous acceleration during rush hour. Deliciously tempting idea.
Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to
As I understand it, they're required to do that now if they want to sell in the EU. They emphatically do not want anyone tinkering with their cars.
They don’t want people modifying ADAS systems mostly, and the main requirement is SecOC, which is cryptographic authentication but the message is still plaintext. Basically they don’t want third party modifications able to randomly send the “steer left” message to the steering rack, for example.
The ADAS systems mandated in Europe are insanely intrusive. I had a few rental cars in Europe this summer and wanted to send them off a cliff. (and I'm not an auto tech luddite, I've had modern cars in the US with autopilot type systems, lane keep, blind spot warning, rear traffic assist radar, forward collision warning, etc. IMO rear traffic assist/FCW/AEB tend to work really well, autopilot pretty well, and lane keep and blind spot silly gimmicks at best).
Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.
It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.
Yes, and to do that, CAN must be encrypted. The idea isn't just to secure it from hackers. The idea is to secure it from owners.
I integrated SecOC on some ECU's at work. I hate myself for it. I frigging hate what they're doing with this. I think it's going to make cars less repairable, less modifiable. It's a horrible horrible stupid initiative in the name of "cybersecurity".
Can't you just turn off "Connected Services" in the menu?
I have been canceling that stupid warning message it presents when leaving it off, every day for several years now.
Remove the antennas. Do not give in to the mirage of convenience.
Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.
Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.
TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.
Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
> Did you know Orange dash error lights are non critical?
Your car will happily display an orange light while a bad fuel mixture is poisoning your catalytic converter to the point where it needs replacing to meet any kind of emissions test. Same with other signs of engine stress.
Don't ignore dash lights unless you know what they mean or you're willing to pay the cost of disposing of your car.
Of course many places won't even allow you to disconnect all the antennae as a non-functional TPMS makes your car unroadworthy in various jurisdictions. You could quickly reconnect everything and clear the error codes before testing, but I'm not sure if the hassle is even worth the illusion that of being untraceable.
>TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
All phones nowadays have bluetooth/wifi mac address randomization, so it's basically useless for tracking, not to mention google/apple conscripting every phone into a wardriving network will kill battery life. Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
And Flock Safety will gladly fingerprint the vehicles without said license plate, and distribute everyone’s location histories nationally.
See also (222 points, 19 comments, 14 days ago):
> Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
I agree with the first half, but not this. The difference between people seeing your license plate and your car/phone/etc systematically recording and storing your exact position is the same as the difference between someone on the street seeing my face vs. a facial recognition camera identifying me and storing that data point forever. People don't memorize or care about your plates. The police could take note of them or even put it on some record, but the number of cops is so low (and the number of cops that would care about my license plates is even lower) that whatever scraps of data are recorded would probably be pretty useless - and besides, that data isn't sold off to private entities, at least where I am.
> All phones nowadays have bluetooth/wifi mac address randomization
Source?
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
"Tire pressure low" is one you should probably check out on a regular basis.
Yeah that's terrible advice. Learning to ignore safety warnings is an amazing way to wind up stranded or with a destroyed car because you decided to ignore a warning light
The first 100yr of automobiles didn't have TPMS and it was mostly fine.
Yeah that’s great if you’re a CIA intelligence officer but what normal person can do this and still function in the modern world? Do the people who say this stuff leave their homes regularly?
And what’s the benefit of it all? Fewer targeted ads?
Leverage over your insurance provider sound good to you?
I am not sure how that works. I guessed I missed the technoparanoid discount.
But I would value the time and inconvenience involved in this at more than my entire insurance bill.
> Do the people who say this stuff leave their homes regularly?
Nope.
I like the rest of the comment, but...
>Did you know Orange dash error lights are non critical?
That's not even remotely true for most cars. One of the most critical alarms you can get in a car is a flashing check engine light, which are usually orange.
>Do not give in to the mirage of convenience.
I sympathise. However, being able to start de-icing my car while still in bed at 5:30 on a January morning is a powerful feature. And I'm the kind of person who wraps his tin foil hat no less than 10 layers thick.
Ideally this shouldn't involve the internet, because the car is in wifi range, but what can I do about it?
People are suggesting all over these threads what we can do about it, but we (as a population) aren't. When my 2009 car dies, I'm going to deliberately NOT buy a new trackingmobile, and try to find another 2009 car to keep running. Yea, that means I occasionally need to take 30 seconds to scrape ice off the windshield. Big deal.
> To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
Well, I suppose that's one way to end third party repairs. Just refuse to turn on if the chip in the new part doesn't match up with a code in the ECU. Like printer ink, but for every major component.
'Error, cannot start engine: Authorised mirror not found. Please visit BMW for an authentic replacement. Driving with non-authentic mirrors may harm user safety.'
Ok stop with the panicking.
What's wrong with GPS in vehicles? If it's not connected to the internet, there is no issue.
What's wrong with playing music from the phone on Bluetooth or Aux? Did you also know you can ride a horse instead of a car?
Bluetooth and WiFi isn't running if you turned them off. Bluetooth also isn't really used for tracking unless someone is looking for you or you're part of some service like AirTags.
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
What? Worse advice out there regarding cars.
If it's not connected to the internet, there is no issue.
It's connected to the Internet. Every car has a SIM card now.
I won't mince words. This is criminal and should be dealt with that way. It is obvious I don't want my information collected and sold. I make it clear every reasonable chance I get. This goes beyond abuse of my privacy, this is digital assault and the company officers that allowed these 'features' should be thrown in jail for it.
Disabling the hardware can be really hard, my 2025 Toyota Sienna is always connected. You can't just pull a fuse or rip out an antenna, I have to take the entire dashboard apart to reach the Data Communication Module (DCM) module. If anyone's curious what that looks like, it's a little bit easier on the Toyota Tacoma, here are some pictures of the process: https://www.tacoma4g.com/forum/threads/disabling-dcm-telemat...
It's complex enough that I haven't done it yet in my Sienna, but I plan to!
On a 2021 Camry there is an below-dash fuse labeled "DCM" which you can remove (and it does disable OnStar/telemetry, but not sat.radio[0]) — it also disables one of the speakers (used for phone calls), which there is a bypass to resolve (but it still requires removing infotainment, so at that point just unplug it there.?!).
[0] It was my understanding that, like GPS-receivers, Sirius/XM was one-way streaming, only..?
There are GPS antennas that land on that DCM and the data from that is forwarded over carplay/android auto. Phones fall back to their onboard GPS but it's a much worse experience than we're accustomed to. If you share the car with someone expect complaints. Pulling the cell antenna(s) is the most elegant solution. People shouldn't be afraid of a little work.
I don't use cell phones but still this'll get me in the dashboard sooner than I had intended (never, before).
Hadn't really thought about the car broadcasting its bluetooth/RF . Is the SiriusXM traceable?
https://www.toyota.com/privacyvts/#:~:text=Declining,analysi... so you apparently have to opt-out of consenting to them tracking you...
as a professional diesel mechanic for a small chain of midwest shops, this "telematics" feature is on long-haul trucks as well as tractors (john deer is notorious for using it to send mail marketing about services.)
generally its not hard to disable.
- identify the telematics module in your car - pull the fuse (not always an option, sometimes this disables bluetooth)
- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.
The Toyota community has been far down that road with the DCM module in the new gen cars and found that the car still managed to get updates out to Toyota even with 50 ohm terminating resistors in the antenna connectors: https://www.tacomaworld.com/threads/simpler-solution-for-dis... (see the posts by user "Disgruntled Scientist").
Unfortunately simply cutting power to the telematics module also disables the in-car microphone for handfree calling. Fully disabling telematics involves making a bypass harness that re-routes the microphone and speaker signals past the disabled DCM module.
I tried this with a wifi setup on a car charger. I connected a 50-ohm dummy load in place of the antenna using the mmcx connector.
It didn't work - there was an on-module antenna that it switched to. Might not have worked as well, but it did work and the wifi access point still showed up.
On the other hand, some cars have a self-contained telematics module like you said and you can just unpower the whole thing.
I remember looking at a ford owners manual for a 2019. The fusebox section had a fuse with description "Telematics control unit - modem." I assume you can just pull that fuse.
IIRC, Massachusetts passed a right-to-repair law a few years ago. Based upon the text of the law, all new cars purchased there have the spying disabled because they did not want to give up their proprietary info.
There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.
So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?
Perhaps. But what if a person living in Massachusetts travels to another state?
I found this when looking into it more: https://arstechnica.com/cars/2023/06/feds-tell-automakers-no...
"Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently,” and that “open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.”
Faced with this dilemma, it’s quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same."
I found the vehicleprivacyreport.com site awfully misleading. The "Vehicle Privacy Label" only lists what the manufacturer's current policies are, not what applies to my vehicle. It makes it seem like Toyota is somehow remotely collecting and sharings tons of information about my...2007 Prius. But this car came out in 2006, well before people assumed easy internet connectivity everywhere. Shy of having physical access to my vehicle, they can't read anything, but it's not easy to find that explanation on the site.
I have an electric car and if I want to remotely turn on charging, it won’t allow me unless the full data sharing option is enabled. Full data as in your driving data like a black box logger. I then have to go in the car, enable it, then I can remotely turn on charging. I have to remember to opt-out again later. Ironic I know because I can turn on charging from within the cabin without having to enable any of the data collection. What an inconvenient experience.
So you're telling me that simply walking out to the car and hitting a button inside the car is just too much of an "inconvenient experience"?
You know we used to have to drive the car... sometimes many miles... to a station, get out, and fill it up with a liquid fuel that costs many times more, and then drive home...
Seriously now- The perceived 'inconvenience' you have is the reason that so many of these connected features are being pushed and then the because the ability is there the business types can't resist the data gathering that became possible because of all the antennas, etc.
False equivalence: you're saying you want the convenience of remote access without the price the manufacturer is charging (full data collection)
What does "remotely turn on charging" mean? Doesn't charge when you plug in?
I went to Carvana to get some idea on what my car might be worth. I gave them the license plate, and it gave me a questionnaire about specific trim and options along with asking about the current mileage. I couldn't remember the exact figure so I guessed rounded to the thousand. The app complained and wouldn't take it as they knew the mileage which was some 150ish miles more. Apparently my car has reported the mileage last time I drive it, which has been about an hour before.
Carvana knew exactly how many miles I had driven within an hour of me driving my car.
For the same reason the IRS makes you fill out how much you made last year. They know—they know to the penny. But making you fill it out is a humiliation exercise so they can "catch you out" and intimidate you.
Well in the case of the IRS, that, and you know, Intuit.
I'd like to see a website that ranks vehicles by make and model. That would influence shopping behaviors, and consumers would influence manufacturer behaviors.
The only company that appear to be taking a different tack on this are https://www.slate.auto
Anyone know of any others?
I think it's wild that people spend their own money to surveil themselves every second they're near their car. Maybe I've seen too much lawyering on TV and in movies, but if I'm in a collision with you, I'm definitely asking the cops to pull the SD card from your dashcam.
Whenever I point out I think this self-surveillance is crazy, the response ends up sounding something like "oh, no big, if I think I did something wrong I'll just hide the evidence and lie to the police and say it doesn't work", which sure doesn't sit right with me.
Why do you think potentially self-incriminating self-surveillance is "crazy" when you also think lying to the cops and other involved parties about what happened is bad? If you believe it's important to tell the truth in these situations, you should have no problem providing your own recordings of a collision, regardless of who is at fault.
Or is your point just about the cost of the dashcam being "crazy"? In that case, hypothetically, what if your insurance company cut you a check to buy a dashcam of your own choice and install it on your car?
If you believe you are at fault in a collision where police, insurance, etc. are involved, they are going to ask for your statement, and at that point you will be forced to choose between lying or admitting fault. If you're glad that no dashcam footage exists, presumably you are going to lie about what happened! I don't see why this is any different than popping the SD card out of your dashcam and lying about that too—you're still lying, and for the same reason: to evade responsibility for a collision you caused.
Nothing you can realistically do about it. In America car ownership for most people is mandatory. It’s unfortunate we don’t have alternatives if you disagree with car manufacturers extra “features”.
On the other hand, it is not mandatory to vote for politicians who continue to make our cities car centric.
You are not doing anything wrong if you are forced into buying a car due to the circumstances of your living. But voting to continue that makes your culpable.
So your plan would be to get rid of cars? Wow it's almost like government regulation imposed to dissuade people from free travel via personal automobiles through a thorough enshitification is working in the direction of their intent.
You mean they're actually asking for 15 minute cities? Yes sir, they are. Very good.
Well it's not free, we pay a lot of money to subsidize the highways and roads. If you like your highways and roads and want that freedom, what's better than having fewer cars on the road? That's one of the things that diverting some public funds from highways to other transportation options helps achieve. For those who could get to work or perhaps get to the grocery store by walking, biking, hopping on a bus, or taking a tram/street car that's cars off the road to make your life better.
It’s not a good alternative though because it puts you into a losing competition with the manufacturers. Take out the cellular modem? Next one requires connectivity to drive the car and so forth.
You could “ban” it, but the amount of effort required to raise public awareness for that and actually have our dickhead representatives due things like that is basically the same amount of effort, perhaps more, as building better cities and transportation modes.
We build and subsidize highways, we could do the same with other methods of transportation and have competition instead of big gubmint cars.
In many parts of the US, individual vehicles are the only viable mode of transportation. In fact, even in the NYC metro area, a car is pretty much indispensable, unless maybe you live in Manhattan and only rely on home delivery for groceries and the like. If you ever want to do anything outside of the city, you need a car.
I wonder what the extremely rich do to get a car that isn’t a security risk? I’ve heard you can throw money at high end car dealerships to disable spying, but I wonder what the internal process is.
I some months back called every independent EV mechanic I could find a listing for in my state to see if they would help me disable the cellular modem of any of the models I was interested in buying, and they mostly told me either that they couldn't or wouldn't. One of the more polite shops I got in touch with explained that many models don't have a separate board that can be disabled anymore, or otherwise have more things on the board that need to be talking on the CAN bus for other, actually important parts of the car to function. As such, I still have my old car.
Since then, I've learned about the 50ohm dummy antennas you can buy. I might try that if my car dies before an AWD/4WD Slate truck becomes an option, and also if my living situation can accommodate charging.
As far as I know, all modern Toyotas have discrete DCMs (data communication modules) that can be physically unplugged with limited side effects. The side effects are loss a speaker and hands-free microphone, but they be restored by means of a bypass harness. Simply unplugging the antennas does not seem to be enough in areas with good cellular coverage. I have seen the dummy load approach discussed on car forums but have no experience with it.
This will probably be a thing, but it's not clear that folks are cognizant of the risks yet.
Is there anything we can do about it short of avoiding new cars? Our legislators have proven unwilling to pass real privacy laws.
Yes - remove the telematics radio and GPS antennas. They are usually in the overhead console area around/behind the lighting and mirror controls.
In BMWs, the gps antenna is behind the upper lights, the telematics and V2V antenna is in the sharkfin(unplug it from underneath the headliner)
Giving car companies your money (and then modifying your car) is still rewarding car companies for their bad behavior. We really need to stop buying new cars and somehow make it clear that telematics are the reason, but it's never going to happen. Not enough people care, and of those who care, not enough of them care enough to stop buying these cars.
Consent and convenience. When I use google maps, I am trading my privacy for accurate directions and traffic times. When I buy a car that sells my location, and I get nothing in return, I feel like the deal is inequitable.
OsmAnd works fine in Android Auto with WiFi and mobile data turned off. Sygic does too. I believe TomTom also sells navigation apps that will work fine under these conditions.
I use Android Auto mostly because I don't trust manufacturers of car components to maintain their software and to put more than bargain bin SoCs in their infotainment consoles. There's no need for your Android phone to have a connection to the outside world if all you're using it for is locally installed apps.
In some seem to be in the fin antenna:
Maybe there is a way to pollute the data? At least it makes data cleaning more expensive.
I've never had a driver's licence, lived in a zillion countries; don't think I could do that in America though.
Over half of New York City households are car-free. That jumps to 3/4 in Manhattan.
Millions of American households don’t have a car, but you rarely hear about it as a viable option.
Moving to the EU becomes a more appealing option every day.
This is false, https://news.ycombinator.com/item?id=46063166
The Chat Control problem isn't nearly as final as some news sources try to brand it. They were running up against deadlines and submitted their work knowing statistically their proposal would get shot down based on existing voting rounds.
I, too, would rather see this bullshit die in committee before reaching the next stage, but this bullshit can still be stopped.
In the EU, eCall is mandatory and disabling it fails most roadworthiness checks and voids most insurance policies, so it doesn't help much.
Also, while the EU does (for now) have stronger privacy protections for citizens against corporate interests, the opposite is true in most EU countries for Government surveillance.
eCall has very strong privacy protections, see Article 6: https://eur-lex.europa.eu/eli/reg/2015/758/oj
This crap is being done because of EU rules. It's "for your protection." The vehicles are being secured from you.
https://www.coro.net/blog/what-new-eu-cybersecurity-rules-me...
https://www.dw.com/en/new-eu-cybersecurity-rules-push-carmak...
There is spying and there is spying
Back in august IDF banned Chinese cars from entering bases
https://www.jns.org/report-idf-bans-chinese-cars-from-bases-...
And now banned then from used by officers
https://securityboulevard.com/2025/11/why-israel-just-banned...
I wonder what IDF knows
Tesla cars to be banned from Chinese government buildings amid security fears.
I wonder what China knows :)
https://www.drive.com.au/news/tesla-vehicles-to-face-entry-b...
I thought about getting a traditional navigator to avoid even relying on phone navigation.
Well, of course all the Garmins and Tomtoms available now have "built-in wifi for updates" and often BT for phone notifications too. Sure, I could just not configure either but what if I want a navigator _without any radios_ and with controlled updates via SD card.
Maybe a dedicated Android phone in the car with offline OpenStreetMaps installed and airplane mode on is more realistic. Or some old 2nd hand navi that's still updateable.
The CCC had a nice talk last year about the data VW collects and what can be learned from it (all the data was unencrypted accessible): https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-vo...
(unfortunately it's in German - but there is an english live translation available)
How do you write an article about this and not mention the GDPR or EU privacy laws?
>"It’s hard to figure out exactly how much data a modern car is collecting on you"
You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".
BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.
Mozilla's concentrated efforts took a while, they're right that it's hard to figure out exactly what car manufacturers are doing. Unless you're willing to sue a bunch of them, plain GDPR requests won't be enough to get this information. Companies will happily lie or declare information collected as "non-personal" or "trade secrets" and if they're smart enough about the way they process their data they can probably convince a judge that the end result isn't personal enough that exposing their trade secrets weighs up against the GDPR.
There's no way even a large news corporation is going to buy every model car from every brand that comes out in a year to get the legal rights to demand data, let alone pursue these data requests in court. Renting cars may be easier, but then your contract is with the rental company and they're responsible for getting you the information you require, and after the first three PII requests you're not going to be renting from them any time soon.
I'm not saying they couldn't do a deeper dive with more detailed research, but it's not an easy task to evaluate an industry like this. All they'll be able to produce is general statements about a limited set of car models that'll quickly be outdated once the next software update comes out.
> I would absolutely trust my family's lives in any year 2000+ vehicle.
I work partly in prehospital emergency medicine and I wouldn't.
I already feel uneasy with our 2017 EuroNCAP 5 star SUV due to the improvements since then, in particular AEB and increased structural crash-protection, which greatly change the injury profiles of accidents.
Airbag and crumple zone safety requirements for crashes that aren't head-on are much more recent than the 2000s. Many car makers designed their cars to pass those, but will leave you dead or worse if you get T-boned.
ABS wasn't even a requirement in the EU until 2004, and American cars could be sold without ABS all the way until 2012, when traction control was also made mandatory (which the EU then also followed).
Things like the slightly-angled side pole crash test was only added to the Euro NCAP in 2015 and was updated five years later to make it a bit more realistic, though cars still woefully fail in many real-life scenarios.
I wouldn't really consider a car "safe" unless it passes the ~2015 requirements for car safety well. A well-designed car full of optional safety features from the ~2010s is probably also safe, but I wouldn't count on it unless you've done research into it.
I believe Volvo has had a reputation of being ahead of the curve with these kinds of crash safety tests, but even they had to improve over time.
Interestingly I can't get ChatGPT to help me find a video showing me how to disable the cellular modem on my Subaru 2024 Crosstrek. Time to do some old-fashioned research, I guess...
https://chatgpt.com/share/692cde57-0930-800e-b45f-7a41ca5c8e...
I ripped the wifi / onstar and gps antennas out of my 2020 Chevy Bolt the day after I bought it. Took me a couple of hours since the access was awful, but that's one time pain. No issues since, and I have a phone I use to drive the head unit so there was no need for those antennas to even exist.
I tried this once.
I got a tesla home charger and it had a unnecessary wifi AP that kept showing up in my house. So I figured, I would stop this.
Opened it up, and disconnected the wifi antenna mmcx connector.
Nope, seemed when unplugged, it would switch to an onboard antenna for the wifi module.
so I reconnected a dummy load antenna to the wifi module.
and it still used the onboard antenna.
at that point, I gave up.
I think there might have been a possibility of downgrading the firmware to an older version that could disable wifi, but I didn't try to find it.
I believe this kind of thing happens with onboard cellular, wifi and bt. They are more resilient to degraded or disconnected antennas than you think.
The problem is a lot of the features of these cars require you to opt into giving your privacy away. And when you’re shopping it’s not clear where that line is.
A 2013 Chevy Volt has a camera on the dashboard pointed at the driver. The entertainment dashboard has a dozen communication options, including those for safety? Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized? Was it automakers emboldened by the acceptance of cell phone central record keeping?
"Safety" is a magic word like "god" was a thousand years ago. If you say it just right you can manufacture an excuse to do all sorts of stuff that'll clearly lead to bad stuff if left to run.
They undoubtably said things like "if it saves even one person from falling asleep at the wheel it's worth it" or something along those lines.
this is still a technology advancement... what if smartphone usage or asleep safely stops the car? what if this run locally? or what if it's linked to public entities that will add penalty points to your license?
as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
>as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
What a great illustration of the sort of selfish opinions that people like to peddle under the guise of perceived common good.
Are you willing to have your bike brakes linked up with GPS and red light signals? It's in the name of safety and progress after all.
nothing. And banning ALPR wont fix anything either. All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system. you don't even need a camera, just a radio receiver.
> All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system.
Mine doesn't.
do you have some sort of indirect tire pressure checking like wheel speed?
No, I have a tyre pressure gauge. Every so often I check the tyre pressures and maybe stick a bit more in if it needs it.
Some VWs used to use wheel speed, though, which was fun because they added tyre pressure checking with a software upgrade. Not terribly accurate, but enough to tell you if one was low.
> banning ALPR wont fix anything either.
Ideally the implementation would be immaterial to a ban. The ban (or more likely first, warrant requirement similar to cell data) would be on the tracking database, not the details of how the tracking was accomplished.
TPMS is over the air, each sesnor has a 32 bit unique ID. you have 4 per car... its easy to identify
Depends on the TPMS implementation to be honest. Most of the UHF ones are impossible to receive unless you're using some optimally placed/pretty powerful equipment. Even then, the protocol is entirely up to the vendor, as long as the system is reliable.
My car is old enough that it doesn't have TPMS sensors but I have looked into third party ones. It looks like there's all kinds of systems, from custom UHF to Bluetooth LE. No idea what your car uses.
It's rather surprising/disappointing that "advice" like this makes no mention of how the automobile gains internet access
Does it (a) have it's own SIM card, (b) piggyback on driver/passenger/other vehicle SIM cards, (c) opportunistically connect to free wifi APs, etc.
Perhaps the surveillance data is only transmitted to the mothership when the automobile is being "serviced"
The automobile OS may be like the other corporate OS, e.g., iOS, iPadOS, Android, etc., in that there is no possible configuration or combination of user settings that does not allow data collection and surveillance for unlimited commercial purposes
My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.
The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.