CARS

SPYING

• The Mozilla Foundation is a netizen-rights organization from the makers of the Firefox browser. They have deeply researched the issue of cars spying on passengers. All the articles below were published September 6, 2023.
  
  
  1. Their Privacy Not Included website has a page dedicated to Cars with detailed reviews of individual car companies. The reviews include defensive steps.
  2. It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy by Jen Caltrider, Misha Rykov and Zoë MacDonald. 84 percent of car companies share or sell your data. The only two ( Renault and Dacia) that give you control over your data are only available in Europe where laws on privacy are stronger than in the U.S.
  3. What Data Does My Car Collect About Me and Where Does It Go? by Jen Caltrider, Misha Rykov and Zoë MacDonald.
  4. After Researching Cars and Privacy, Here’s What Keeps Us up at Night by Jen Caltrider, Misha Rykov and Zoë MacDonald.
  5. Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels' by Jessica Lyons Hardcastle for The Register. Mozilla assessed the privacy policies and practices of 25 automakers and found all of them failed their consumer privacy tests. They found that car companies can collect and sell: location history, driving habits, in-car browser histories, music preferences, sexual activity, immigration status, race, facial expressions, weight, health, and genetic information. This data is collected using sensors, microphones, cameras, phones, other devices people connect to their cars, apps such as Sirius XM and Google Maps, dealerships, and vehicle telematics. The worst car company? Nissan.
• The Privacy4Cars app offers step-by-step instructions for deleting your personally-identifiable information from any car. The company also sells tools to help dealerships remove data from vehicles.
• August 1, 2023: Connected car data privacy under investigation by California regulator by Jonathan M. Gitlin for Ars Technica. Quoting: "Connected cars are fast becoming ubiquitous - it may well be impossible to buy a new car, truck, or SUV in 2023 that doesn't have at least one embedded modem in it. In the mid-2010s, many OEMs saw dollar signs at the prospect of monetizing data collected by their deployed vehicle fleets, and unlike with cellphones, it can be hard or impossible to disable location tracking in one's car ... the California Privacy Protection Agency announced that it will review the data privacy practices of connected vehicle manufacturers. The agency is empowered to do so thanks to a 2018 state law, the California Consumer Privacy Act."
• May 2, 2023: Some real defense. New Tool Shows if Your Car Might Be Tracking You, Selling Your Data by Joseph Cox for Vice Motherboard. About a new website from Privacy4Cars called the Vehicle Privacy Report. You enter the VIN of a car and get a privacy report for the car. The service is free for consumers. The report shows the types of data being collected by the car and whether or not the car has telematics (a built-in data connection), biometrics, location tracking, personal data identifiers, or phone syncing. It also shows who or what the car maker might share that information with (affiliates, service providers, insurers, data brokers, or even the government).
• April 6 2023: Special Report: Tesla workers shared sensitive images recorded by customer cars by Steve Stecklow, Waylon Cunningham and Hyunjoo Jin for Reuters. Tesla cars have cameras on both the inside and the outside.
• February 28, 2023: From Cory Doctorow VW wouldn't locate kidnapped child because his mother didn't pay for find-my-car subscription You can't make this stuff up. Volkswagen has a car location/surveillance system that costs car owners $150/year. It's called Car-Net. VW makes money by selling information about the car to data brokers. But, when a VW was stolen with a small child in the back seat, they would not tell law enforcement the location of the car because the owner had not paid for the find-my-car feature of Car-Net. Maybe they made a mistake? Maybe this was marketing, designed to get all their customers to pay for the service?
• December 2022: Cops Can Extract Data From 10,000 Different Car Models’ Infotainment Systems by Thomas Brewster in Forbes.
• July 2022: Who Is Collecting Data from Your Car? by Jon Keegan and Alfred Ng for The Markup. A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of. They identified 37 companies that are part of the connected vehicle data industry that seeks to monetize this data in an environment with few regulations. Based on a factory-installed cellular connection. No defense offered. The only car with privacy controls is the Porsche Taycan SUV.
• April 2021: These Companies Track Millions Of Cars - Immigration And Border Police Have Been Grabbing Their Data by Thomas Brewster for Forbes. Cars constantly collect location and use information and that data can is provided to the government. In the last 18 months Customs and Border Protection and Immigrations Customs Enforcement officials demanded location data from three companies who collectively track the movements of tens of millions of vehicles: GM OnStar, Geotab and Spireon. No defense offered.
• March 2021: Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military by Joseph Cox for Vice. A company claims that it can locate specific cars in real time with data that comes from the cars themselves. The company is The Ulysses Group. Cars often include sensors that collect information and transmit it back to the home office. Such vehicle telematics include the airbag and seatbelt status, engine temperature, and current location. It is claimed that vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating. For defense, Privacy4Cars.
• December 2020: How cars spy on the people using them: Insecure wheels: Police turn to car data to destroy suspects' alibis by Olivia Solon for NBC News. Does not offer much in terms of defense.
• May 2019: Your Car Knows When You Gain Weight by Bill Hanvey, CEO of the Auto Care Association. Not much in the way of defense.

BUGS

All software has bugs, the software in cars is no exception.

• August 12, 2023: Ford says cars with WiFi vulnerability still safe to drive by Bill Toulas of Bleeping Computer. The bug is in SYNC3 is an infotainment system that supports in-vehicle WiFi hotspots, phone connectivity and more. It is used in many Ford and Lincoln vehicles. A bad guy in WiFi range can trigger a buffer overflow that can lead to remote code execution. Good news: Ford said they will issue a bug fix soon. Bad news: the system is not able to be updated remotely. This means that Ford customers will have to load the bug fix on a USB stick to install it on their vehicles. Shamefully archaic.
• January 3, 2023: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More by Sam Curry and others. Other cars with software vulnerabilities mentioned in the article are Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz Hyundai, Genesis, Ferrari, Spireon, Ford, Reviver, Toyota, Jaguar, Land Rover and SiriusXM Connected Vehicle Services. No defenses are offered. This article about these many bugs (Hackers discover that vulnerabilities are rife in the auto industry by Jonathan Gitlin for Ars Technica January 11, 2023) has responses to the problems from many car manufacturers.
• November 2022: Researchers find bugs allowing access, remote control of cars by Jonathan Greig for The Record. Researchers found two sets of flaws. One set affects Hyundai and Genesis cars, the other affects Honda, Nissan, Infiniti and Acura cars. The bugs allow remote access and control over cars made after 2012. Yikes.

CAR THEFT

September 21, 2023: U.S. Cities Have a Staggering Problem of Kia and Hyundai Thefts. This Data Shows It. by Aaron Gordon for Vice. Engine immobilizers are a basic anti-theft device that costs about $100 and prevents cars from being hot-wired. The car industry has widely adopted immobilizers. Anti-theft devices are required by law in Canada and Kia and Hyundai use them in Canada. However, they are not required in the U.S., so ... from 2011 to 2021, Kia and Hyundai manufactured many of their cars without immobilizers making them trivially easy to steal. In 2015, just 26 percent of Kias and Hyundais sold in the U.S. had immobilizers. In total, some nine million vehicles in the U.S. are vulnerable. This has resulted in a stolen car crime wave unlike anything the U.S. has seen in generations. 17 cities have filed lawsuits against Kia and Hyundai. Many insurance companies stopped selling policies for the affected vehicles.

April 13, 2023: Cities Sue Hyundai, Kia After Wave of Car Thefts by Joseph Pisani in the Wall Street Journal. Cleveland, Seattle, St. Louis and at least five other cities allege that the auto makers did not install anti-theft technology to cut costs. This makes the cars easier to steal and their cities less safe. There has been a surge of joy riders stealing these cars, damaging property and draining police resources. One lawsuit said "The security system for these cars is so substandard that it can be exploited by a middle-schooler." State Farm stopped accepting new customer applications for some Kia and Hyundai vehicles, citing a rise in costs. Cars from the 2022 model year are safe, but if you own one, you have to hpe that the bad guys know how to tell the different model years.

TESLA

The Defensive Computing approach to Tesla is probably to not buy one of their cars. This story exposes the corporate mind set: Tesla exaggerated EV range so much that drivers thought cars were broken by Jon Brodkin for Ars Techncia July 27, 2023. Inundated with complaints, Tesla created a "Diversion Team" to cancel appointments. This was also covered by Karl Bode of Tech Dirt: Tesla Lied About EV Range, Then Created A Team Built Specifically To Undermine Customer Attempts To Get Help on July 28, 2023.

As to Tesla safety

1. August 17, 2023: Tesla knew Autopilot weakness killed a driver – and didn't fix it, engineers claim by Brandon Vigliarolo of The Register. Fifty-year-old Jeremy Banner died in 2019 when his Tesla Model 3 smashed into a tractor-trailer in cross traffic. Autopilot had been activated ten seconds prior to the collision. In a civil lawsuit brought against Tesla regarding the crash two Tesla Autopilot engineers have claimed the automaker's leadership not only knew the software was unable to detect and respond to cross traffic, it did nothing to fix it. This crash bears remarkable similarity to a 2016 accident that killed Joshua Brown, whose Tesla Model S with Autopilot activated failed to notice an 18-wheeler tractor-trailer traveling crossing a highway.
2. August 1, 2023: Steering failures are Tesla's new federal safety worry by Jonathan M. Gitlin for Ars Technica. The National Highway Traffic Safety Administration's Office of Defects Investigation is looking into a potential problem with the power steering in the model-year 2023 Tesla Models 3 and Y. There have been a dozen customer complaints. But, just add it to the list: This year NHTSA's ODI also opened probes into complaints of sudden unintended acceleration, and another is looking at the propensity for steering wheels to detach. That was not a typo, the steering wheels are falling off.
3. 17 fatalities, 736 crashes: The shocking toll of Tesla’s Autopilot by Faiz Siddiqui and Jeremy B. Merrill for the Washington Post. June 10, 2023. Tesla's driver-assistance system, known as Autopilot, has been involved in far more crashes than previously reported. 736 U.S. crashes since 2019 involving Teslas in Autopilot mode according to their analysis of National Highway Traffic Safety Administration data. The number of such crashes has surged over the past four years. Tesla and Elon Musk did not respond to a request for comment.
4. Report: Tesla Autopilot Involved in 736 Crashes since 2019 by Sebastian Blanco for Car and Driver. June 13, 2023.