A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

CARS

TOPICS BELOW
Cars Spying on Us, Software Bugs, Car Theft, Honda, Tesla

CARS SPYING ON US

• November 19, 2024: Modern cars are surveillance devices on wheels with major privacy risks – new report by Katharine Kemp for The Conversation. A summary of a new report out of Australia that analyzed the privacy terms of new connected cars sold by the 15 most popular car brands in Australia. It starts with just finding the relevant privacy related documents from a car manufacturer, and there was a wide difference between the companies. The original report is 53 pages and was issued in October 2024. It is available here: Driving Blind: The Unexamined Privacy Risks of Connected Cars by Katharine Kemp of the University of New South Wales (UNSW).
• September 9, 2024: Our future? Ford seeks patent for tech that listens to driver conversations to serve ads by Suzanne Smalley for The Record. "Ford Motor Company is seeking a patent for technology that would allow it to tailor in-car advertising by listening to conversations among vehicle occupants, as well as by analyzing a car's historical location and other data..." Ford calls this proposed system "in-vehicle advertisement presentation". This is the patent application: Pub. No.: US 2024/0289844 A1 Verma et al. August 29,2024
• June 8, 2024: Is Your Driving Being Secretly Scored? by Kashmir Hill for the New York Times. We all have a credit score that we are allowed to see. But, car owners may also have a driving score and seeing that is no simple thing. Auto insurance companies can get it, of course, and the score is likely to affect the rate you pay. Car insurance companies learn how you drive either directly from the car manufacturer or from apps that are already on your phone. The apps mentioned in the article are Life360, MyRadar and GasBuddy. The official term for driving behavior analysis is telematics.
• June 5, 2024: How to Keep Your Car From Spying on You by Bart Ziegler for the Wall Street Journal. As the Journal is paywalled, this summary omits much. Before buying a car, read the privacy disclosures on the carmaker's website. While finalizing a car purchase at the dealership, read the fine print of the sales documents. Elsewhere on this page is vehicleprivacyreport.com. This article also endorses the site. Consumers can check whether LexisNexis Risk Solutions has a file on them at: consumer.risk.lexisnexis.com/request
• April 23, 2024: Episode 971 of Steve Gibson's Security Now! podcast has a note (see page 7 of the PDF) from a listener detailing his experience with a Hyundai car spying on him. The listener was very careful not to agree to any car spying. Yet, Verisk had lots of data on his driving habits. There is also a picture of one page from the Verisk report. The letter from the listener is worth reading.
• April 11, 2024: Your Car Is Spying on You by Jeff Somers for Life Hacker. The article is a must-read for the defensive steps it suggests. For example: "You can contact Lexis Nexis and request a consumer disclosure report, as well as Verisk ... they have to provide this upon request, and it will show you - in terrifying detail - how much data has been collected about your driving habits, if any. You can also plug your car’s vehicle identification number (VIN) into Vehicle Privacy Report and get a rundown of what data is being collected and by whom." Another suggestion is to look for a page on the website of the company that made your car, where you can opt out of their data collection.
• March 11, 2024: Automakers Are Sharing Consumers' Driving Behavior With Insurance Companies by Kashmir Hill for the New York Times. Many car companies report detailed driving information to data brokers and many drivers are not informed about this. This can be done because cars are now Internet connected. The data reported is speed, distance, beginning and ending time of each trip, and whether the car accelerates and decelerates quickly or gradually. If this points to someone being a bad driver, their insurance rate goes up. The two data brokers in the article are LexisNexis and Verisk. Car companies that sell detailed driving data to brokers are General Motors, Honda, Ford, Kia, Subaru and Hyundai. Mitsubishi has an optional feature in its app, that when enabled, collects information about your driving. Often information about this is hidden or buried. The article has links to get your own data from LexisNexis and Verisk.
  
  This article led to follow-up stories
  1. March 22, 2024: General Motors Quits Sharing Driving Behavior With Data Brokers by Kashmir Hill in the New York Times. GM responds to bad publicity.
  2. April 23, 2024: How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me) by Kashmir Hill in the New York Times. The reporter who broke this story was, herself, spied on. She had requested her LexisNexis report as part of her research, but it came up empty. She ad purchased a GM car with her husband and the spy data was attributed only to him because the dealership listed him as the primary owner. The spy data has details on car trips: the distance, the start and end times, and how often the car hard-braked or accelerated rapidly. Why was GM spying on a customer that would never have agreed to this? Interesting story. At first GM claimed that you had to turn on OnStar and enroll in Smart Driver. But, it's not that simple. For one thing, they do everything they can to trick people. Then too, they have buggy software that will report one thing on their website and another thing in their mobile app. Now that the s..t has hit the fan, GM says customers can disable all data collection by contacting an OnStar adviser. This article is a must-read for all GM customers.
  3. April 26, 2024: People Are Slowly Realizing Their Auto Insurance Rates Are Skyrocketing Because Their Car Is Covertly Spying On Them by Karl Bode for Techdirt. Quoting: "GM is now facing 10 different federal lawsuits from customers pissed off that they were surreptitiously tracked and then forced to pay significantly more for insurance ... . Pressured for unlimited quarterly returns, insurance companies will use absolutely anything they find in the data to justify rising rates ... If this follows historical precedent, GM will pay out a relative pittance in legal fees and fines, claim they’ve changed their behavior, then simply rename these programs into something else ... Something more carefully crafted, with bare-bones consumer alerts, to exploit the fact that the U.S. remains too corrupt to pass even a baseline modern privacy law ... our Congress has been lobbied into gridlock by a cross-industry coalition of companies with near-unlimited budgets, all desperately hoping that their performative concerns about TikTok will distract everyone from the fact we live in a country too corrupt to pass a real privacy law."
• October 15, 2023: DON'T Connect Your Phone To Your Car! video by Naomi Brockwell TV. 15 minutes. Modern cars are a privacy nightmare. This is the first of what Naomi plans to be a series of videos on the topic of cars and privacy.
• The Mozilla Foundation is a netizen-rights organization from the makers of the Firefox browser. They have deeply researched the issue of cars spying on passengers. All the articles below were published September 6, 2023.
  
  
  1. Their Privacy Not Included website has a page dedicated to Cars with detailed reviews of individual car companies. The reviews include defensive steps.
  2. It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy by Jen Caltrider, Misha Rykov and Zoë MacDonald. 84 percent of car companies share or sell your data. The only two ( Renault and Dacia) that give you control over your data are only available in Europe where laws on privacy are stronger than in the U.S.
  3. What Data Does My Car Collect About Me and Where Does It Go? by Jen Caltrider, Misha Rykov and Zoë MacDonald.
  4. After Researching Cars and Privacy, Here’s What Keeps Us up at Night by Jen Caltrider, Misha Rykov and Zoë MacDonald.
  5. Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels' by Jessica Lyons Hardcastle for The Register. Mozilla assessed the privacy policies and practices of 25 automakers and found all of them failed their consumer privacy tests. They found that car companies can collect and sell: location history, driving habits, in-car browser histories, music preferences, sexual activity, immigration status, race, facial expressions, weight, health, and genetic information. This data is collected using sensors, microphones, cameras, phones, other devices people connect to their cars, apps such as Sirius XM and Google Maps, dealerships, and vehicle telematics. The worst car company? Nissan.
• The Privacy4Cars app offers step-by-step instructions for deleting your personally-identifiable information from any car. The company also sells tools to help dealerships remove data from vehicles.
• November 10, 2023: If you live in Massachusetts, maybe don't buy a Subaru or a Kia. Subaru cars can make an automatic emergency call if the car crashes. But, not in Massachusetts. You can remotely start a Subaru and turn on the heater. But, not in Massachusetts. From: Now that cars are like smartphones, we don’t really own them by Shira Ovide for the Washington post. See also: Massachusetts Subaru, Kia Buyers Caught Up In 'Right-To-Repair' Fight by The Associated Press February 24, 2022
• August 1, 2023: Connected car data privacy under investigation by California regulator by Jonathan M. Gitlin for Ars Technica. Quoting: "Connected cars are fast becoming ubiquitous - it may well be impossible to buy a new car, truck, or SUV in 2023 that doesn't have at least one embedded modem in it. In the mid-2010s, many OEMs saw dollar signs at the prospect of monetizing data collected by their deployed vehicle fleets, and unlike with cellphones, it can be hard or impossible to disable location tracking in one's car ... the California Privacy Protection Agency announced that it will review the data privacy practices of connected vehicle manufacturers. The agency is empowered to do so thanks to a 2018 state law, the California Consumer Privacy Act."
• May 2, 2023: Some real defense. New Tool Shows if Your Car Might Be Tracking You, Selling Your Data by Joseph Cox for Vice Motherboard. About a new website from Privacy4Cars called the Vehicle Privacy Report. You enter the VIN of a car and get a privacy report for the car. The service is free for consumers. The report shows the types of data being collected by the car and whether or not the car has telematics (a built-in data connection), biometrics, location tracking, personal data identifiers, or phone syncing. It also shows who or what the car maker might share that information with (affiliates, service providers, insurers, data brokers, or even the government).
• February 28, 2023: From Cory Doctorow VW wouldn't locate kidnapped child because his mother didn't pay for find-my-car subscription You can't make this stuff up. Volkswagen has a car location/surveillance system that costs car owners $150/year. It's called Car-Net. VW makes money by selling information about the car to data brokers. But, when a VW was stolen with a small child in the back seat, they would not tell law enforcement the location of the car because the owner had not paid for the find-my-car feature of Car-Net. Maybe they made a mistake? Maybe this was marketing, designed to get all their customers to pay for the service?
• December 2022: Cops Can Extract Data From 10,000 Different Car Models’ Infotainment Systems by Thomas Brewster in Forbes.
• July 2022: Who Is Collecting Data from Your Car? by Jon Keegan and Alfred Ng for The Markup. A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of. They identified 37 companies that are part of the connected vehicle data industry that seeks to monetize this data in an environment with few regulations. Based on a factory-installed cellular connection. No defense offered. The only car with privacy controls is the Porsche Taycan SUV.
• April 2021: These Companies Track Millions Of Cars - Immigration And Border Police Have Been Grabbing Their Data by Thomas Brewster for Forbes. Cars constantly collect location and use information and that data can is provided to the government. In the last 18 months Customs and Border Protection and Immigrations Customs Enforcement officials demanded location data from three companies who collectively track the movements of tens of millions of vehicles: GM OnStar, Geotab and Spireon. No defense offered.
• March 2021: Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military by Joseph Cox for Vice. A company claims that it can locate specific cars in real time with data that comes from the cars themselves. The company is The Ulysses Group. Cars often include sensors that collect information and transmit it back to the home office. Such vehicle telematics include the airbag and seatbelt status, engine temperature, and current location. It is claimed that vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating. For defense, Privacy4Cars.
• December 2020: How cars spy on the people using them: Insecure wheels: Police turn to car data to destroy suspects' alibis by Olivia Solon for NBC News. Does not offer much in terms of defense.
• May 2019: Your Car Knows When You Gain Weight by Bill Hanvey, CEO of the Auto Care Association. Not much in the way of defense.

SOFTWARE BUGS   top

All software has bugs, the software in cars and the apps/websites that manage cars, is no exception.

• September 26, 2024: This is the latest in a plague of website bugs that has affected a dozen carmakers. Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug by Andy Greenberg for Wired. Quoting: "Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will ... The web bug they used to hack Kias is, in fact, the second of its kind that they have reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year..." The biggest mistake Kia made was hiring lazy programmers. The security researchers were able to impersonate a Kia dealer and all dealers have way too much power within the Kia computing world. The researchers could assign control of the vehicles' features to any customer. They could create customer accounts. The good news is that the researchers could not get into the driving system such as the brakes or steering.
  
  This is the detailed report from the security researchers: Hacking Kia: Remotely Controlling Cars With Just a License Plate September 20, 2024. Quoting: "On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription. Additionally, an attacker could silently obtain personal information, including the victim's name, phone number, email address, and physical address. This would allow the attacker to add themselves as an invisible second user on the victim's vehicle without their knowledge." It took Kia two months, but they fixed the relevant bugs.
• August 12, 2023: Ford says cars with WiFi vulnerability still safe to drive by Bill Toulas of Bleeping Computer. The bug is in SYNC3 is an infotainment system that supports in-vehicle WiFi hotspots, phone connectivity and more. It is used in many Ford and Lincoln vehicles. A bad guy in WiFi range can trigger a buffer overflow that can lead to remote code execution. Good news: Ford said they will issue a bug fix soon. Bad news: the system is not able to be updated remotely. This means that Ford customers will have to load the bug fix on a USB stick to install it on their vehicles. Shamefully archaic.
• January 3, 2023: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More by Sam Curry and others. Other cars with software vulnerabilities mentioned in the article are Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz Hyundai, Genesis, Ferrari, Spireon, Ford, Reviver, Toyota, Jaguar, Land Rover and SiriusXM Connected Vehicle Services. No defenses are offered. This article about these many bugs (Hackers discover that vulnerabilities are rife in the auto industry by Jonathan Gitlin for Ars Technica January 11, 2023) has responses to the problems from many car manufacturers.
• November 2022: Researchers find bugs allowing access, remote control of cars by Jonathan Greig for The Record. Researchers found two sets of flaws. One set affects Hyundai and Genesis cars, the other affects Honda, Nissan, Infiniti and Acura cars. The bugs allow remote access and control over cars made after 2012. Yikes.

CAR THEFT   top

September 21, 2023: U.S. Cities Have a Staggering Problem of Kia and Hyundai Thefts. This Data Shows It. by Aaron Gordon for Vice. Engine immobilizers are a basic anti-theft device that costs about $100 and prevents cars from being hot-wired. The car industry has widely adopted immobilizers. Anti-theft devices are required by law in Canada and Kia and Hyundai use them in Canada. However, they are not required in the U.S., so ... from 2011 to 2021, Kia and Hyundai manufactured many of their cars without immobilizers making them trivially easy to steal. In 2015, just 26 percent of Kias and Hyundais sold in the U.S. had immobilizers. In total, some nine million vehicles in the U.S. are vulnerable. This has resulted in a stolen car crime wave unlike anything the U.S. has seen in generations. 17 cities have filed lawsuits against Kia and Hyundai. Many insurance companies stopped selling policies for the affected vehicles.

April 13, 2023: Cities Sue Hyundai, Kia After Wave of Car Thefts by Joseph Pisani in the Wall Street Journal. Cleveland, Seattle, St. Louis and at least five other cities allege that the auto makers did not install anti-theft technology to cut costs. This makes the cars easier to steal and their cities less safe. There has been a surge of joy riders stealing these cars, damaging property and draining police resources. One lawsuit said "The security system for these cars is so substandard that it can be exploited by a middle-schooler." State Farm stopped accepting new customer applications for some Kia and Hyundai vehicles, citing a rise in costs. Cars from the 2022 model year are safe, but if you own one, you have to hpe that the bad guys know how to tell the different model years.

HONDA   top

March 25, 2022: Honda bug lets a hacker unlock and start your car via replay attack by Ax Sharma for Bleeping Computer. Some models made between 2016 and 2020 can have key fob codes sniffed and re-transmitted .The vulnerability, according to researchers, remains largely unfixed in older models. In 2020 a researcher had reported a similar flaw affecting some Honda and Acura models but he claimed that Honda ignored his report. Honda has not verified the information reported by the researchers and cannot confirm if their cars are actually vulnerable. But, should the vehicles be vulnerable, "Honda has no plan to update older vehicles at this time," .

July 11, 2022: Hackers can unlock Honda cars remotely in Rolling-PWN attacks by Bill Toulas for Bleeping Computer. This is not the same bug as above from March 2022. Quoting: "A team of security researchers found that several modern Honda car models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely. Called Rolling-PWN, the weakness enables replay attacks where a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle ...The researchers tried to notify Honda of the vulnerability but could not find a contact for reporting security-related issues." Honda initially denied the problem, then admitted to it, but they pointed out that this does not let someone drive the car away. As to fixing the issue, Honda said to buy a newer car.

October 10, 2022: What you should know about the Honda key fob vulnerability by Sue Poremba for Security Intelligence. Quoting: "Even though this vulnerability became news over the summer of 2022, the vulnerability was found in 2012 Honda cars and should be assumed to affect every Honda on the market today. Whoever has access to these codes has permanent access to unlock the car doors and possibly start the vehicle. Today, Rolling-PWN appears to only target Honda vehicles ... "

TESLA   top

The Defensive Computing approach to Tesla is probably to not buy one of their cars. This story exposes the corporate mind set: Tesla exaggerated EV range so much that drivers thought cars were broken by Jon Brodkin for Ars Techncia July 27, 2023. Inundated with complaints, Tesla created a "Diversion Team" to cancel appointments. This was also covered by Karl Bode of Tech Dirt: Tesla Lied About EV Range, Then Created A Team Built Specifically To Undermine Customer Attempts To Get Help on July 28, 2023.

May 22, 2024: Teslas Can Still Be Stolen With a Cheap Radio Hack - Despite New Keyless Tech by Andy Greenberg for Wired. Tesla has an optional PIN-to-drive feature that requires the owner to enter a four-digit code before starting the car. This security feature is off by default. All Tesla owners should turn it on as the cars remain vulneralbe to relay attacks.

April 6 2023: Special Report: Tesla workers shared sensitive images recorded by customer cars by Steve Stecklow, Waylon Cunningham and Hyunjoo Jin for Reuters. Tesla cars have cameras on both the inside and the outside.

As to Tesla safety

1. October 18, 2024: Still more auto-pilot problems: US probes Tesla's Full Self-Driving software in 2.4 million cars after fatal crash by David Shepardson and Akash Sriram for Reuters. This was prompted by four collisions, including a 2023 fatal crash. Quoting: "The National Highway Traffic Safety Administration's (NHTSA) preliminary evaluation is the first step before the agency could seek a recall of the vehicles if it believes they pose an unreasonable risk to safety ... Tesla in December recalled more than two million U.S. vehicles to install new safeguards in its Autopilot advanced driver-assistance system. NHTSA is still probing whether that recall is adequate to address concerns drivers are not paying attention ... Tesla's 'camera-only' approach ... some industry experts have said, could cause issues in low-visibility conditions as the vehicles do not have a set of back-up sensors."
2. Tesla has settled another deadly Autopilot crash lawsuit by Owen Bellwood for Jalopnik. May 29, 2024. The case stemmed from a 2016 crash involving a Model S sedan equipped with the Autopilot technology.
3. Tesla settles lawsuit over man’s death in a crash involving its semi-autonomous driving software April 9, 2024. The amount Tesla paid was not disclosed. The settlement was one day before the trial was scheduled to begin.
4. April 28, 2024: Lawsuits test Tesla claim that drivers are solely responsible for crashes by Trisha Thadani for the Washington Post. The newspaper "obtained" dash-cam footage of Tesla crashes that offers details of vehicles allegedly on Autopilot. At least eight new lawsuits and a federal investigation contend that Tesla's technology invites drivers to overly trust the automation. The article starts with dash-cam footage from July 2022 that shows a Tesla traveling south on the northbound side of a highway.
5. August 17, 2023: Tesla knew Autopilot weakness killed a driver – and didn't fix it, engineers claim by Brandon Vigliarolo of The Register. Fifty-year-old Jeremy Banner died in 2019 when his Tesla Model 3 smashed into a tractor-trailer in cross traffic. Autopilot had been activated ten seconds prior to the collision. In a civil lawsuit brought against Tesla regarding the crash two Tesla Autopilot engineers have claimed the automaker's leadership not only knew the software was unable to detect and respond to cross traffic, it did nothing to fix it. This crash bears remarkable similarity to a 2016 accident that killed Joshua Brown, whose Tesla Model S with Autopilot activated failed to notice an 18-wheeler tractor-trailer traveling crossing a highway.
6. August 1, 2023: Steering failures are Tesla's new federal safety worry by Jonathan M. Gitlin for Ars Technica. The National Highway Traffic Safety Administration's Office of Defects Investigation is looking into a potential problem with the power steering in the model-year 2023 Tesla Models 3 and Y. There have been a dozen customer complaints. But, just add it to the list: This year NHTSA's ODI also opened probes into complaints of sudden unintended acceleration, and another is looking at the propensity for steering wheels to detach. That was not a typo, the steering wheels are falling off.
7. 17 fatalities, 736 crashes: The shocking toll of Tesla’s Autopilot by Faiz Siddiqui and Jeremy B. Merrill for the Washington Post. June 10, 2023. Tesla's driver-assistance system, known as Autopilot, has been involved in far more crashes than previously reported. 736 U.S. crashes since 2019 involving Teslas in Autopilot mode according to their analysis of National Highway Traffic Safety Administration data. The number of such crashes has surged over the past four years. Tesla and Elon Musk did not respond to a request for comment.
8. Report: Tesla Autopilot Involved in 736 Crashes since 2019 by Sebastian Blanco for Car and Driver. June 13, 2023.

Copyright 2019 - 2025