Comment by emidln

Comment by emidln 3 days ago

96 replies

View on Hacker News

My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.

The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.

I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.

wormslayer666 3 days ago

I opted to try the "beg the manufacturer to turn off the panopticon" approach[1]. The first time I got 2 hours of elevator music before hanging up, the second I went through 3 levels of customer support before they claimed it was done (3 days later). Might have to steal your approach to verify that though...

[1] https://www.mazdausa.com/site/privacy-connectedservices

Reply View 0 replies
nja 3 days ago

Have you posted any writeups or other information about how you built this? I'm eyeing a Mazda as a next car (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon), and telemetry seems like one of the few downsides to an otherwise good carmaker. Would be very interested to learn more!

Reply View 1 reply
  • tavavex 2 days ago

    > (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon)

    I don't know much about automotive safety, but has much actually changed since 2014 in terms of safety standards? I had thought that by the 2010s, basically everyone big had already figured out how to build a relatively safe car from a structural standpoint. Or are you only talking about electronic assistive features, like proximity sensors or lane assist?

    Reply View 0 replies
drnick1 3 days ago

I see absolutely no reason not to completely unplug the cellular modem. The only thing that would stop me is an annoying error message or warning light in the gauge cluster. My car does not display any of these, but unplugging the modem results in losing the right speaker and microphone, unless a bypass harness is used.

Reply View 4 replies
  • vitaflo 3 days ago

    The modem is usually in the sharkfin with the XM radio chipset and GPS. If you can unplug it at the sharkfin that's usually the best course of action. Some cars may bark at you, but mine just says it can't detect GPS if I attempt to use it (which I never use anyway).

    Reply View 3 replies
    • MrDrMcCoy 3 days ago

      Wouldn't it be better to connect resistive pigtails to the antenna connectors on the board? A little more work to get to, but less risk to damaging paint and weather seals, and would do a better job preventing signal leakage. I'm no expert on such things, but will definitely be looking at something like that for the next car I buy.

      Reply View 2 replies
      • vitaflo a day ago

        Not sure what you mean, the antennas are on the sharkfin board and you get to it from under the headliner not from the top of the car. It's much easier just to disconnect the cable that goes to the sharkfin than actually removing the entire module in the sharkfin.

        Reply View 1 reply
        • MrDrMcCoy 21 hours ago

          Ah, didn't know there was a board in there or that there was a way to get to it from the cabin.

          Reply View 0 replies
M95D 3 days ago

> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board

And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)

Reply View 70 replies
  • emidln 3 days ago

    I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.

    Reply View 62 replies
    • andrei_says_ 3 days ago

      As anonymous as there are Miatas in your neighborhood parking in your driveway.

      Reply View 0 replies
    • mindslight 3 days ago

      It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.

      I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.

      (Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))

      Reply View 56 replies
      • emidln 3 days ago

        If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.

        Reply View 42 replies
      • cameldrv 2 days ago

        It might be interesting for an enterprising lawyer to try to flip this around. Suppose you send a letter to your car manufacturer saying that, as the owner of the car, you are prohibiting them from accessing the location of the car or performing unauthorized software updates and that any attempt to circumvent this will result in criminal prosecution for unauthorized access to your computer.

        Reply View 0 replies
      • monerozcash 3 days ago

        Prosecuting someone for deliberately injecting garbage data into another persons system hardly seems totalitarian.

        > You own the device, so anything you do within that device is authorized

        You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.

        >I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law

        FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".

        The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf

        Reply View 8 replies
      • AngryData 3 days ago

        If you were to purposefully try to poison/damage their dataset and admitted as such you probably wouldn't win without spending an unreasonable amount of money on lawyer fees. Without admitting anything though and claiming ignorance it would probably be pretty easy to get dismissed, provided you are able to spend atleast some money on a lawyer.

        Reply View 0 replies
      • [removed] 3 days ago
        [deleted]
        Reply View 0 replies
      • [removed] 3 days ago
        [deleted]
        Reply View 0 replies
    • culi 3 days ago

      Then do the opposite. Poisoned data that can improve your insurance rates

      Reply View 3 replies
      • micromacrofoot 3 days ago

        they use the data mostly to charge you more, you can't really get the price all that lower

        I've had a clean driving record for 30 years and I'm still paying the junk rates most other people get

        Reply View 2 replies
  • elzbardico 3 days ago

    Oh man. Logging insane average speeds and ludicrous acceleration during rush hour. Deliciously tempting idea.

    Reply View 6 replies
    • idiotsecant 3 days ago

      Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.

      Reply View 0 replies
    • tehjoker 3 days ago

      A data scientist will simply filter out impossible data when conducting an analysis

      Reply View 4 replies
      • elzbardico 3 days ago

        That’s why you make this as popular as possible

        Reply View 1 reply
      • GuinansEyebrows 3 days ago

        you give a lot of credit to an industry poisoned by the profit motive

        Reply View 1 reply
        • tehjoker 3 days ago

          Just make sure you are criticizing the industry on things that are real. Accurate data collection (put not necessarily publication to a broad audience) is something industry does. Decision makers want to understand reality, they don't necessarily want you to though.

          Reply View 0 replies
culi 3 days ago

For anyone else confused, Diagnostic Trouble Codes (DTCs). Automotive context

Reply View 0 replies
CamperBob2 3 days ago

I fear the next version of Miata will be an encrypted CAN like most other cars have moved to

As I understand it, they're required to do that now if they want to sell in the EU. They emphatically do not want anyone tinkering with their cars.

Reply View 13 replies
  • bri3d 3 days ago

    They don’t want people modifying ADAS systems mostly, and the main requirement is SecOC, which is cryptographic authentication but the message is still plaintext. Basically they don’t want third party modifications able to randomly send the “steer left” message to the steering rack, for example.

    Reply View 12 replies
    • rconti 3 days ago

      The ADAS systems mandated in Europe are insanely intrusive. I had a few rental cars in Europe this summer and wanted to send them off a cliff. (and I'm not an auto tech luddite, I've had modern cars in the US with autopilot type systems, lane keep, blind spot warning, rear traffic assist radar, forward collision warning, etc. IMO rear traffic assist/FCW/AEB tend to work really well, autopilot pretty well, and lane keep and blind spot silly gimmicks at best).

      Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.

      It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.

      Reply View 5 replies
      • mattclarkdotnet 3 days ago

        So much this. We had a rental BYD in Greece this summer, and while it was actually great car in general the mandated “assistance” was awful.

        It constantly got the speed limits wrong, constantly tried to tug me out of the correct lane, and was generally awful. It could be disabled but was re-enabled on each restart of the ignition because it’s mandated by EU regulation.

        I appreciate a Greek island perimeter road may be a worst case scenario, but it did the same with roadworks on the freeway and many other situations.

        Actively dangerous in my experience…

        Reply View 0 replies
      • hdgvhicv 3 days ago

        “Lane keep” yanks the wheel dangerously because it incorrectly detects the lane, or because you don’t indicate to pass a pothole on an empty road (which itself would be confusing to other road users)

        Forward collision warning has misfired on 2 occasions on me in the last 3 years

        The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.

        This automation shit should stop, but it won’t.

        parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.

        Reply View 3 replies
    • CamperBob2 3 days ago

      Yes, and to do that, CAN must be encrypted. The idea isn't just to secure it from hackers. The idea is to secure it from owners.

      Reply View 2 replies
      • bri3d 3 days ago

        > SecOC, which is cryptographic authentication but the message is still plaintext

        Reply View 1 reply
        • CamperBob2 3 days ago

          Oh, OK, that's better. I can see what my car is doing, I just can't do anything about it.

          Reply View 0 replies
    • RealityVoid 3 days ago

      I integrated SecOC on some ECU's at work. I hate myself for it. I frigging hate what they're doing with this. I think it's going to make cars less repairable, less modifiable. It's a horrible horrible stupid initiative in the name of "cybersecurity".

      Reply View 2 replies
      • bri3d 3 days ago

        I understand notionally where they were going, but it all sort of went off the deep end somewhere along the line. A concern that someone buying some "mileage blocker" or whatever other shady device off of AliExpress might be vulnerable to the device steering their car into a wall is actually quite a valid one, but of course the solution is some overcomplicated AUTOSAR nightmare that doesn't solve for key provisioning in a way to make modules replaceable.

        Reply View 1 reply
        • RealityVoid 3 days ago

          I have less trust in their good intentions. I think OEM's want to lock down their platforms in order to squeeze extra revenue streams. And I tend to be quite charitable with my interpretations.

          As an aside, I checked out your GitHub. Cool projects, the vag flashing tool looks super useful, might actually give it a spin in sive development projects.

          Reply View 0 replies
ranger_danger 3 days ago

Can't you just turn off "Connected Services" in the menu?

I have been canceling that stupid warning message it presents when leaving it off, every day for several years now.

Reply View 0 replies