The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.
I don't know much about automotive safety, but has much actually changed since 2014 in terms of safety standards? I had thought that by the 2010s, basically everyone big had already figured out how to build a relatively safe car from a structural standpoint. Or are you only talking about electronic assistive features, like proximity sensors or lane assist?
And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)
I've had a clean driving record for 30 years and I'm still paying the junk rates most other people get
At this point car insurance has gotten so bad that it's becoming normal that you can save hundreds of dollars by switching providers every 6 months. These companies are probably making millions on people who are just too exhausted to switch constantly.
I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.
(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))
Also come on, you can't reasonable describe that case as being about "guessing urls". It's the associated chat logs that really make the case.
What about guessing passwords? Should someone be prosecuted for just trying to bruteforce them until one works?
Guessing a URL is an attempt to access (potentially) privileged information which was not secured or authenticated to begin with.
A password is a lock you have to break. An unlisted URL is a sticky note that says "private" on the front of a 40" screen. It's literally impossible for that information to stay private. Someone will see it eventually.
How do you propose the line should be drawn?
To me, this is subjective, but the URL situation has a different feel than something like SQL injection. URLs are just references to certain resources - if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways. The exception is websites that put keys and passwords into their URL parameters, but if we're talking solely about the address part, it seems "public" to me. On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen. It's like picking up a $100 bill of the street vs. picking even the flimsiest, most symbolic of locks to get to a $100 bill you can see in a box.
I don't think the question can be inverted like that, not meaningfully anyway. The CFAA specifically requires one to act knowingly. Accidentally navigating to a page you're not supposed to access isn't criminal.
>To me, this is subjective, but the URL situation has a different feel than something like SQL injection.
I don't think the url below is necessarily that different.
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
> if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways
It can be, but not lawfully so. It's not possible to accidentally commit a crime here, for example in the IRC logs related to the ATT case the "hackers" clearly understood that what they were doing wasn't something that AT&T would be happy with and that they would likely end up in court. They explicitly knew that what they were doing was exceeding authorized access.
> On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen
I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
Lets say those files are discoverable by guessing some URL in your browser, but not accessible to normal users just clicking around the website. If you start scraping the files, I think it's pretty obvious that you're intruding on something private that wasn't meant to be seen. Any reasonable person would realize that, right?
This is why I tried to make the clarification that I was referring to the address part of the URLs only, not the parametrized part. In my mind, something like /users?key=00726fca8123a710d78bb7781a11927e is quite different from /logins-and-passwords.txt. Although, parameters can also be baked into the URL body, so there's some vagueness to this.
> I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
I guess if I try to distill my thoughts down, what I really mean is that there should be a minimum standard of care for private data. At some point, if being able to read restricted data is so frictionless, the fault should lie with the entity that has no regard for its information, rather than the person who found out about it. If a hospital leaves a box full of sensitive patient data in the director's office, and getting to it requires even the minimal amount of trespassing, the fault is on whoever did so. But if they leave that box tucked away in the corner of a parking lot, can you really fault some curious passer-by that looked around the corner, saw it and picked it up? Of course, there's a lot of fuzziness between the two, but in my mind, stumbling into private data by finding an undocumented address doesn't clear the same bar as bruteforcing or using a security vulnerability to gain access to something that's normally inaccessible.
there is a line drawn for such things. a fuzzy line. see:
https://en.wikipedia.org/wiki/I_know_it_when_I_see_it
same as this famous case, in which a supreme court justice is asked "what is and is not pronographie" - of course he realizes if he defines "what is not" people are going to make all kinds of porn right on the boundary (see: japanese pronographies where they do the filthiest imaginable things yet censor the sensitive books, making it SFW in the eyes of their law). this judge avoided that.
Anyways, parallel to the fact that filthy pronographies can be made a gorillion different ways, a "hack" may be manifested also a gorillion different ways. Itemizing such ways would be pointless. And also in the same vein, strictly defining a black and white line "this is legal, this is not" would cause hackers to freely exploit and cheese the legal aspect as hard as possible.. businesses and data miners and all these people would also freely exploit it, at massive scale and with massive funding, since it is officially legal. Thusly it must be kept an ambiguous definition as with pronographies, as with many things
Sometimes a URL can have a password in it.
But when it's just a sequential-ish ID number, you have to accept that people will change the ID number. If you want security, do something else. No prosecuting.
Find out that it works, and then proceed to look up various other people? Whether you're fine depends entirely on whether or not you genuinely believe that you're supposed to be accessing that stuff.
And everyone who doesn't have wool for brains knows to not carry large rolls of cash around in a bad part of town, but we can still hold the mugger at fault.
That's literally the current state of things.
As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.
If your goal is to deliberately "poison" their data as suggested before, it's kind of obvious that you are knowingly causing the transmission of information in an effort to intentionally cause damage to a protected computer without authorization to cause such damage.
>Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
This has very little to do with the TOS though, unless the TOS specifically states that you are in fact allowed to deliberately damage their systems.
And no, causing damage to a computer does not refer to hackers turning computers into bombs. But rather specifically situations like this.
Practically any device connected to the internet is a "protected computer". The only case I can think of where the defendant prevailed on their argument that the computer in question was not a "protected computer" was US v Kane. In that case the court held that an offline Las Vegas video poker machine was not sufficiently connected to interstate commerce to qualify as a "protected computer".
Deliberately inserting bad data to mess with their analytics does in fact fit that definition.
I would read that definition as applying only to their computer system - the one you aren't authorized to access. This means the integrity of data on their system has not been affected, even if the source of that data isn't what they'd hoped.
As I said, the law contemplates a different call out for fraud. This would not be needed if data integrity was meant to be construed the way you're claiming.
(For reference I do realize the law is quite unjust and I'll say we'd be better off if the entire law were straight up scrapped along with the DMCA anti-circumvention provisions)
What specific activities does it unjustly criminalize?
But if you're not - the fact it's putting a chilling effect on this activity right here is a problem.
Another big problem is the complete inequity. It takes the digital equivalent of hopping over a fence and turns it into a serious federal felony with persecutors looking to make an example of the witch who can do scary things (from the perspective of suits).
Another glaring problem is that if the types of boundaries it creates are noble, then why does it leave individuals powerless to enforce such boundaries against corpos, being easily destroyed by clickwrap licenses and unequal enforcement? Any surveillance bugs/backdoors on a car I own are fundamentally unauthorized access, and yet I/we are powerless to use this law to press the issue.
> You own the device, so anything you do within that device is authorized
You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.
>I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law
FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".
The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
However, it's worth clarifying that the important detail isn't generating the data, but sending it. Particularly the clearly stated malicious intent of "poisoning" their data.
This seems like exactly what the lawmakers writing CFAA sought to criminalize, and is frankly much better justified than perhaps the bulk of things they tend to come up with.
>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Doesn't seem exactly unfair to me, even if facing federal charges over silly vandalism is perhaps a bit much. Of course, you'd realistically be facing a fine.
>(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
>(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
As anecdote, while buying a new car I signed a statement that I'm not going to resell it to russia.
I have been canceling that stupid warning message it presents when leaving it off, every day for several years now.
As I understand it, they're required to do that now if they want to sell in the EU. They emphatically do not want anyone tinkering with their cars.
Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.
It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.
It constantly got the speed limits wrong, constantly tried to tug me out of the correct lane, and was generally awful. It could be disabled but was re-enabled on each restart of the ignition because it’s mandated by EU regulation.
I appreciate a Greek island perimeter road may be a worst case scenario, but it did the same with roadworks on the freeway and many other situations.
Actively dangerous in my experience…
Forward collision warning has misfired on 2 occasions on me in the last 3 years
The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.
This automation shit should stop, but it won’t.
parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.
My Lexus is afraid of a bush behind my garage in the alley. It's on a neighbors property and not really overgrown, but my car refuses to get within about 5 ft of it. Makes backing out a nightmare. I haven't figured out a way to disable it, and have considered just selling this 2025 NX.
I found this for the TX, might work for the NX as well?
Try disabling Parking Support Brake under vehicle settings > drive assist.
As an aside, I checked out your GitHub. Cool projects, the vag flashing tool looks super useful, might actually give it a spin in sive development projects.
Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.
Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.
TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.
Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
All phones nowadays have bluetooth/wifi mac address randomization, so it's basically useless for tracking, not to mention google/apple conscripting every phone into a wardriving network will kill battery life. Moreover all this effort in avoiding being tracked doesn't really mean much when all cars have a very visible and unique identifier that's mandated by law (ie. license plate).
See also (222 points, 19 comments, 14 days ago):
I agree with the first half, but not this. The difference between people seeing your license plate and your car/phone/etc systematically recording and storing your exact position is the same as the difference between someone on the street seeing my face vs. a facial recognition camera identifying me and storing that data point forever. People don't memorize or care about your plates. The police could take note of them or even put it on some record, but the number of cops is so low (and the number of cops that would care about my license plates is even lower) that whatever scraps of data are recorded would probably be pretty useless - and besides, that data isn't sold off to private entities, at least where I am.
Source?
Your car will happily display an orange light while a bad fuel mixture is poisoning your catalytic converter to the point where it needs replacing to meet any kind of emissions test. Same with other signs of engine stress.
Don't ignore dash lights unless you know what they mean or you're willing to pay the cost of disposing of your car.
Of course many places won't even allow you to disconnect all the antennae as a non-functional TPMS makes your car unroadworthy in various jurisdictions. You could quickly reconnect everything and clear the error codes before testing, but I'm not sure if the hassle is even worth the illusion that of being untraceable.
"Tire pressure low" is one you should probably check out on a regular basis.
All that these sensor-based systems do is train you to be an inattentive car owner.
I do have a walk around the car before I set forth, but stuff happens.
Some drives are very long -- hours and hours between stops. I've had tires that aired themselves down during a drive. TPMS can alert me to that issue before I get an opportunity to have another walk-around, so I can stop and address it before it becomes a safety concern.
It's fine if someone want to live in a world without monitoring systems; anyone is free to drive an old car with points ignition and a carb if they want (or mechanical diesel! with an air starter, even! no electricity needed at all!).
And sure, there's a certain joy to driving something of relative mechanical simplicity.
But I like modern cars. And I like things like temperature gauges, closed-loop electronic fuel injection, oil pressure indicators, ABS, traction control, backup cameras, and [I dare say] tire pressure monitoring. I like cruise control. I like headlights that turn themselves on when necessary, and off again when they're unnecessary.
And as one might correctly surmise: It doesn't have to be that way: There's other ways to live. A person can also choose to walk, ride a bike, use a horse, commit to a lifestyle that is centered around public transportation, or whatever. The world is full of options.
I've chosen my path, and you can also choose yours.
(And no, that doesn't make me inattentive. My path involves both a belt and suspenders.)
Acting like all this is a safety concern is just textbook internet comment section lying through ones teeth type behavior. Yes, anything can be a safety concern at the limit but even tire failures on the road to not typically elevate to that level. The following framing of "well just drive an old car if you don't like it" is more of the same sort of dishonesty with a veneer of plausible deniability on top. There's no reason these systems need to be built in a way that they can't be disabled and leak PII. There's no reason just about all the systems you're trying to frame as a "bundle" have to be bundled in the first place.
I'm not acting. This is not a performative display.
But yes: While I'm happier in a world with TPMS, I'd be even happier yet in a world where it was a quick and simple job to disable it in a reversible way. (Perhaps in some manner similar to the incantations used to disable the passenger seatbelt chime in many cars.)
A skilled driver can notice all kinds of other stuff using their senses, too.
For instance: When there's a plume of coolant coming out of the hood in front of them, they can deduce from observation that the engine temperature may be very high. They can also identify low oil pressure by observing the clacks and bangs of an engine that is starved for oil and tearing itself apart, or even by the silence of an engine that has ceased.
Or: Information. A light can illuminate on the dashboard the before these conditions are pronounced enough to feel, and the driver may then elect to use this abundance of information to take action before it snowballs into something that may become expensive or dangerous.
Sealed radiators? No way to look for winshield washer fluid? No translucent reservoir of brake fluid?
Falling back to an attitude of not needing automation and instrumentation is a cope, and often a poor cope at that. The problem isn't the dash warning lights of the past several decades, it's the built in corporate surveillance hardware of the past single decade (and the corresponding violation of user trust in favor of corporate control).
I don't think most people know how to do it, to be honest. Partially because people seem to think reading two pages in a manual is some kind of sisyphean task that no mortal should ever be cursed with.
It's pretty crazy how little people care. Even if you don't care about the safety aspect, keeping your tires inflated well saves you a ton on fuel and tire replacements.
In France, we'd check tire pressure at gas stations on nice machines that had built in dial gauges and were free.
In the US, I had to use one of those hand gauges and the air pumps needed quarters (in most cases, especially if you weren't also buying gas).
In Portugal now, the gas stations also have free air and pretty good pumps.
I landed at JFK and was looking for a stroller to stack my suitcases on. The kind of stroller that is free in every single airport I've been to.
I was shocked to see it costs $7. The guy who (I presume) worked there sardonically exclaimed "Welcome to America."
But yeah, free airport trolleys are are an easy marker of evolved civilisations, and the USA fails this test.
Countries that have passed this test for me that I can recall: Australia, Greece, Singapore, China, UK, Thailand, Italy, Spain…
I (again) have a low pressure warning on one tire (getting colder in the Northern Hemisphere). It looks fine but I'll get my compressor out tomorrow and make the computer happy. A lot of modern tires can look pretty good even if, as you say, they can be quite a bit below recommended limits.
And checking tire pressure was a 1x/week thing.
I do get that it used to be a thing in the past. But that was also when oil was rated for 3k miles (I think? maybe it was even lower) and engines would routinely burn oil (ie consume it without leaving a drip spot on the ground). Whereas in the modern day, 15k synthetic exists.
FWIW, I probably do more of my own maintenance than the median HNer. I'll admit I can let intervals slip more than I'd like and I'm working on that, but this idea that everyone is checking fluid levels all the time just seems wildly off base.
A lot of modern automation is not really automation. A washing machine is automation: it takes a task which would have wasted hours of your day and reduces it down to a few minutes. A lot of modern "automation" doesn't save you any actual time time, but just saves you from being attentive:
- Checking your tire pressure doesn't take much time, but TPMS is a privacy problem and an added maintenance cost that you cannot opt out of.
- A power rear lift gate actually takes _more_ time than just shutting it with your hands.
- Power windows don't go down any more quickly than power windows. The only only benefit here is that you can open all 4 windows simultaneously. However this is a luxury, not something which saves you time. You never _need_ all 4 windows down. So maybe people like it, but it's not like the washing machine that actually saves you labor.
- etc ....
People think that needed to do or attend to anything is wasting time, but often modern automation saves no time whatsoever, and has other downsides. (privacy, maintenance cost, vehicle weight, etc.)
Presumably the fundamentalists think you just need to yell louder. With neo-luddite opposition like this, its no wonder the surveillance society is winning.
For example, power windows were always handy when getting on/off the highway and coming up to a toll booth where I'd have to give/take a ticket. It's much easier to hold a button (or even have a latching button) while spending my attention on actually driving.
I have one car with TPMS that's entirely done through the ABS controller measuring the relative diameters of the wheels. That's not a privacy or cost problem. Furthermore the privacy problem where wireless TPMS sensors are interrogatable is better framed as a security vulnerability in their design, rather than something intrinsic.
Weight is a red herring as I'd guess the fuel savings from having properly inflated tires outweighs the fuel spent on the extra mass.
And what’s the benefit of it all? Fewer targeted ads?
But I would value the time and inconvenience involved in this at more than my entire insurance bill.
Nope.
>Did you know Orange dash error lights are non critical?
That's not even remotely true for most cars. One of the most critical alarms you can get in a car is a flashing check engine light, which are usually orange.
ERROR: unable to start engine.
Actually I wonder if cars will just adopt "oh-you-need-anti-theft" like phones do. To prevent auto theft, all cars will be tracked and all parts must match serial numbers.
Well, I suppose that's one way to end third party repairs. Just refuse to turn on if the chip in the new part doesn't match up with a code in the ECU. Like printer ink, but for every major component.
'Error, cannot start engine: Authorised mirror not found. Please visit BMW for an authentic replacement. Driving with non-authentic mirrors may harm user safety.'
What's wrong with GPS in vehicles? If it's not connected to the internet, there is no issue.
What's wrong with playing music from the phone on Bluetooth or Aux? Did you also know you can ride a horse instead of a car?
Bluetooth and WiFi isn't running if you turned them off. Bluetooth also isn't really used for tracking unless someone is looking for you or you're part of some service like AirTags.
> Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
What? Worse advice out there regarding cars.
The GPS module is usually on the same board as the cellular module. Disconnecting the board (usually in the shark fin) disconnects the GPS module too.
BT and WiFi are running when turned off, at least on Android without extra opting out.
It's connected to the Internet. Every car has a SIM card now.
Maybe every new car, but the average car is 13 years old, and the OP made no clarification on whether his advice was for only new cars, or for a 2015 econobox as well.
As long as stations persist that transmit the data (it's sent over RDS), then it will continue to work. There's no subscription involved (or at least, there isn't for my car -- it works where it works, and there's no mechanism by which to pay for using it).
The Wiki has some further reading on the technology: https://en.wikipedia.org/wiki/Traffic_message_channel
I sympathise. However, being able to start de-icing my car while still in bed at 5:30 on a January morning is a powerful feature. And I'm the kind of person who wraps his tin foil hat no less than 10 layers thick.
Ideally this shouldn't involve the internet, because the car is in wifi range, but what can I do about it?
later vehicles "helpfully" removed this in favor of online remote starting (with added telematics)
It's complex enough that I haven't done it yet in my Sienna, but I plan to!
[0] It was my understanding that, like GPS-receivers, Sirius/XM was one-way streaming, only..?
generally its not hard to disable.
- identify the telematics module in your car - pull the fuse (not always an option, sometimes this disables bluetooth)
- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.
It didn't work - there was an on-module antenna that it switched to. Might not have worked as well, but it did work and the wifi access point still showed up.
On the other hand, some cars have a self-contained telematics module like you said and you can just unpower the whole thing.
I remember looking at a ford owners manual for a 2019. The fusebox section had a fuse with description "Telematics control unit - modem." I assume you can just pull that fuse.
Unfortunately simply cutting power to the telematics module also disables the in-car microphone for handfree calling. Fully disabling telematics involves making a bypass harness that re-routes the microphone and speaker signals past the disabled DCM module.
You know we used to have to drive the car... sometimes many miles... to a station, get out, and fill it up with a liquid fuel that costs many times more, and then drive home...
Seriously now- The perceived 'inconvenience' you have is the reason that so many of these connected features are being pushed and then the because the ability is there the business types can't resist the data gathering that became possible because of all the antennas, etc.
Anyone know of any others?
Whenever I point out I think this self-surveillance is crazy, the response ends up sounding something like "oh, no big, if I think I did something wrong I'll just hide the evidence and lie to the police and say it doesn't work", which sure doesn't sit right with me.
Or is your point just about the cost of the dashcam being "crazy"? In that case, hypothetically, what if your insurance company cut you a check to buy a dashcam of your own choice and install it on your car?
Obviously 99.999% of traffic collisions never get this far, but I'm speaking more of the world of courtroom legal drama where you'd rather not have your in-car conversations recorded, or the fact that you drove around the block of the house where the murder occurred at 3am.
I think there's a huge asymmetry between the upside of the dash cam and the downside of self-surveillance. I'm much more likely to be in a fender bender than accused of murder, but I also _simply don't care_ if the police say I'm at-fault when I don't think I was, driving my insurance rates up for a few years. But I'm deeply uncomfortable with the idea of recording myself 24x7 whenever I'm in my car.
You are not doing anything wrong if you are forced into buying a car due to the circumstances of your living. But voting to continue that makes your culpable.
You mean they're actually asking for 15 minute cities? Yes sir, they are. Very good.
You could “ban” it, but the amount of effort required to raise public awareness for that and actually have our dickhead representatives due things like that is basically the same amount of effort, perhaps more, as building better cities and transportation modes.
We build and subsidize highways, we could do the same with other methods of transportation and have competition instead of big gubmint cars.
Find the cellular antenna and replace it with a dummy load. The car will think it's sending the data just fine but all it's doing is turning radio waves into heat.
I agree with you in general though that public policy is failing. Specifically it's failing here where we continue to engage in and direct poor public policy positions because the government is very entrenched and addicted to spending taxpayer dollars. Asking the public to continue to play a catch up game of voiding their car warranty instead of actually solving the problem via policy is, in my view, simply not going to work.
Since then, I've learned about the 50ohm dummy antennas you can buy. I might try that if my car dies before an AWD/4WD Slate truck becomes an option, and also if my living situation can accommodate charging.
Well, of course all the Garmins and Tomtoms available now have "built-in wifi for updates" and often BT for phone notifications too. Sure, I could just not configure either but what if I want a navigator _without any radios_ and with controlled updates via SD card.
Maybe a dedicated Android phone in the car with offline OpenStreetMaps installed and airplane mode on is more realistic. Or some old 2nd hand navi that's still updateable.
It can be removed/disabled. Given that we're talking about a used car, the warranty being void is not a problem either.
I work partly in prehospital emergency medicine and I wouldn't.
I already feel uneasy with our 2017 EuroNCAP 5 star SUV due to the improvements since then, in particular AEB and increased structural crash-protection, which greatly change the injury profiles of accidents.
ABS wasn't even a requirement in the EU until 2004, and American cars could be sold without ABS all the way until 2012, when traction control was also made mandatory (which the EU then also followed).
Things like the slightly-angled side pole crash test was only added to the Euro NCAP in 2015 and was updated five years later to make it a bit more realistic, though cars still woefully fail in many real-life scenarios.
I wouldn't really consider a car "safe" unless it passes the ~2015 requirements for car safety well. A well-designed car full of optional safety features from the ~2010s is probably also safe, but I wouldn't count on it unless you've done research into it.
I believe Volvo has had a reputation of being ahead of the curve with these kinds of crash safety tests, but even they had to improve over time.
from video games to software to “self-driving” cars, we’re all unpaid beta testers for unfinished and often unsafe products.
Does it (a) have it's own SIM card, (b) piggyback on driver/passenger/other vehicle SIM cards, (c) opportunistically connect to free wifi APs, etc.
Perhaps the surveillance data is only transmitted to the mothership when the automobile is being "serviced"
The automobile OS may be like the other corporate OS, e.g., iOS, iPadOS, Android, etc., in that there is no possible configuration or combination of user settings that does not allow data collection and surveillance for unlimited commercial purposes
(unfortunately it's in German - but there is an english live translation available)
https://chatgpt.com/share/692cde57-0930-800e-b45f-7a41ca5c8e...
Can you elaborate? I don't think I've ever heard of this. When did it happen?
There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.
So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?
How would they know you're no longer in Massachusetts, without the spying enabled while within Massachusetts?
It doesn't mean "the car's gps is disabled"
I found this when looking into it more: https://arstechnica.com/cars/2023/06/feds-tell-automakers-no...
"Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently,” and that “open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.”
Faced with this dilemma, it’s quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same."
I got a tesla home charger and it had a unnecessary wifi AP that kept showing up in my house. So I figured, I would stop this.
Opened it up, and disconnected the wifi antenna mmcx connector.
Nope, seemed when unplugged, it would switch to an onboard antenna for the wifi module.
so I reconnected a dummy load antenna to the wifi module.
and it still used the onboard antenna.
at that point, I gave up.
I think there might have been a possibility of downgrading the firmware to an older version that could disable wifi, but I didn't try to find it.
I believe this kind of thing happens with onboard cellular, wifi and bt. They are more resilient to degraded or disconnected antennas than you think.
Carvana knew exactly how many miles I had driven within an hour of me driving my car.
Well in the case of the IRS, that, and you know, Intuit.
In BMWs, the gps antenna is behind the upper lights, the telematics and V2V antenna is in the sharkfin(unplug it from underneath the headliner)
I use Android Auto mostly because I don't trust manufacturers of car components to maintain their software and to put more than bargain bin SoCs in their infotainment consoles. There's no need for your Android phone to have a connection to the outside world if all you're using it for is locally installed apps.
Then on the other hand, who cares about those when your car is already tracking you? /s That kind of helpless reasoning needs to die.
Millions of American households don’t have a car, but you rarely hear about it as a viable option.
Besides, it's not even the same in Europe. In a few countries, maybe, but in the majority the inter-city transit or transit within small towns is not even in the same universe as what's available in most of the US.
In places like Vegas, even on days with great weather, trying to WALK 2-3km in residential areas is a nightmare.
There are certainly people who are OK with living like they did in their urban school for a few years after graduation. But that's not a long-term solution for most people.
Try living without a car in these places, all in the 4th largest MSA.
https://maps.app.goo.gl/mHmGidZRJaKptHeL8
https://maps.app.goo.gl/5P4mW5iM6b5ab9Ve7
https://maps.app.goo.gl/JCiBgESKs5ZWqGny8
https://maps.app.goo.gl/E1iVwLCB28ooGhQL9
These are all in "urban" areas and a part of DFW. But how about Houston, the 5th?
https://maps.app.goo.gl/7yEAimERmyE1EGde6
https://maps.app.goo.gl/UKSQjPqifWUSv82H7
I don't know how one would even get groceries without a car.
And even then, you're then talking about less than 1/3 of Americans living in that mostly car dependent space.
It’s common for people to own a car and not use it for weeks, months, or in some cases years at a time.
Unfortunately it's as likely as this being the year of the Linux desktop because Windows 11.
Autocracy is just everywhere these days, Noah get the boat.
I, too, would rather see this bullshit die in committee before reaching the next stage, but this bullshit can still be stopped.
Also, while the EU does (for now) have stronger privacy protections for citizens against corporate interests, the opposite is true in most EU countries for Government surveillance.
Last I heard they've shifted their efforts to making remote activation of on-board cameras part of the 5/6G smart car bullshit (which will of course be part of road safety requirments not long after).
However, more importantly, it means you can't lawfully disable the modem that the manufacturer uses for its own telemetry.
That’s stated on the eCall page linked above. Do you have a source that contradicts that?
Annex VII only rules out connecting to the PSAP/112 side, not routine network attaches. To detect faults in the “means of communication”, the IVS has to verify that the SIM, baseband and RF path are actually usable, and you can’t test that without a network attach.
In practice that’s what all current eCall implementations do. The modem attaches to the cellular network at each ignition so it can confirm it’s capable of placing an eCall. If you block the modem or antenna, the IVS fails its self-test and the vehicle is no longer roadworthy.
There are always workarounds, of course, but that does pose an annoying problem to patch.
Like you say, there are always workarounds, but none that the home-gamer can safely or legally modify without taking eCall out of compliance.
[1] https://www.bosch-presse.de/pressportal/de/en/emergency-call...
https://www.coro.net/blog/what-new-eu-cybersecurity-rules-me...
https://www.dw.com/en/new-eu-cybersecurity-rules-push-carmak...
Car -> unplug the cellular modem (more or less easy)
TV -> used as dumb monitor with a Linux HTPC
Phone -> GrapheneOS
PC -> Linux
Social media -> /dev/null
Email/DNS/cloud -> my own
The real issue is that most people are not aware of these issues and may even (unintentionally) compromise your own privacy by posting information or pictures of you to Facebook or other similar places.
That made me chuckle, absolutely right though!
I'm surprised how many people think that keeping a low profile will matter in a society that attacks people for things you could discover from vehicle position data. In that society, you'll get attacked if someone wants to do it and they'll manufacture the pretext.
It's not difficult to imagine something like pandemic restrictions, where a digitally-enabled government could fine/arrest people based on location data, either because they travelled outside an allowed area or into a restricted one. Or they have data showing they were in close-proximity with too many people etc etc.
Flock is already known to assist the government surveilling protestors:
- [CBP is monitoring US drivers and detaining those with suspicious travel patterns](https://news.ycombinator.com/item?id=45996860)
- [How Cops Are Using Flock Safety's ALPR Network to Surveil Protesters and Activists](https://www.eff.org/deeplinks/2025/11/how-cops-are-using-flo...)
- [Amazon has a form so police can get my (Ring) data without permission or a warrant](https://www.theverge.com/2022/7/14/23219419/amazon-ring-law-...)
Flock takes the "do nothing until forced to" mentality.
If it exists in a database, then the government has access to that database if it ever wants to legally or otherwise. It's been like that since 9:11 and probably before.
All we need now is for the right person to walk in and turn the key. We're lucky that Donald Trump is probably too stupid to understand what he's got under his thumb.
Back in august IDF banned Chinese cars from entering bases
https://www.jns.org/report-idf-bans-chinese-cars-from-bases-...
And now banned then from used by officers
https://securityboulevard.com/2025/11/why-israel-just-banned...
I wonder what IDF knows
I wonder what China knows :)
https://www.drive.com.au/news/tesla-vehicles-to-face-entry-b...
>"It’s hard to figure out exactly how much data a modern car is collecting on you"
You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".
BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.
There's no way even a large news corporation is going to buy every model car from every brand that comes out in a year to get the legal rights to demand data, let alone pursue these data requests in court. Renting cars may be easier, but then your contract is with the rental company and they're responsible for getting you the information you require, and after the first three PII requests you're not going to be renting from them any time soon.
I'm not saying they couldn't do a deeper dive with more detailed research, but it's not an easy task to evaluate an industry like this. All they'll be able to produce is general statements about a limited set of car models that'll quickly be outdated once the next software update comes out.
If you get a car old enough, you won't need to worry about TPMS (but that car will not have been tested against recent crash test scenarios).
My car is old enough that it doesn't have TPMS sensors but I have looked into third party ones. It looks like there's all kinds of systems, from custom UHF to Bluetooth LE. No idea what your car uses.
Ideally the implementation would be immaterial to a ban. The ban (or more likely first, warrant requirement similar to cell data) would be on the tracking database, not the details of how the tracking was accomplished.
Mine doesn't.
Some VWs used to use wheel speed, though, which was fun because they added tyre pressure checking with a software upgrade. Not terribly accurate, but enough to tell you if one was low.
They undoubtably said things like "if it saves even one person from falling asleep at the wheel it's worth it" or something along those lines.
as a cyclist and public transport user with no driver license, i hope personal vehicles have so much sensors that they can detect if you are drunk or stressed and limit your reaches. fuck your metallic beetle
What a great illustration of the sort of selfish opinions that people like to peddle under the guise of perceived common good.
Are you willing to have your bike brakes linked up with GPS and red light signals? It's in the name of safety and progress after all.
are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation? or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch? or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
edit: i would even go further and hope personal vehicles production is ceased and their circulation becomes a crime for citizens on non-legal or non essential services duties. i would live perfectly fine in a city without those but who controls the speed of my bicycle on cycle paths or that lock my brakes if i try to cycle high
An excellent demonstration of "cyclebrain syndrome", the urban twin to suburbia's "carbrain syndrome".
> are you really naive to believe cyclists wouldn't respect traffic lights on a city designed after walk and public transportation?
Translation: I am aware of cyclists' ubiquitous poor behavior on the roads but will reach for any justification to shift responsibility to someone else. "Drivers wouldn't be running red lights if you just added a couple more lanes, bro."
> or are you thinking on the minimal cyclists that get killed by tresspasing this rule by vehicles that get a mild scratch?
Translation: And when cyclists' poor behavior causes a fatal collision with a car, nobody cares about the damaged property. Or the mental anguish, or the collisions caused by narrowly avoiding killing an errant cyclist (who survives, oblivious, thanks to the driver's quick action choosing a more costly crash over a "mild scratch" that kills the cyclist).
> or the light or mild injuries bicycles at 15-25 km/h are gonna cause between each other?
Translation: I don't give a shit about killing/injuring pedestrians any more than car drivers do. I only care about collisions with things that are about the size of my vehicle or bigger. And if those other things are bigger than my vehicle--I want them banned! That way I reduce the risk to me, which is what I really care about, and who cares what happens to anything smaller than me?
The USA was designed by Ford motor company, for cars, by cars. That was a mistake.
[laughs in unhinged zealot]
My house is fairly close((125') to a rural "highway", and only internet here is mobile data that my phone shares with other devices and mornings(anytime) my older desktop with 2.5 ghz wifi gets bumped off with the passing of every car that has glaring supper white headlights,but, not the ones running yellow incandecents, whatever rf signal is comming of these things must be barely, or completly illegal, and could obviously be tracked in any number of ways, so not so much bieng spied on, as just flat out trasmitting everything you do in ridiculously fine grained detail.
> You can opt out
lol
this makes it seem so simple.
I think
- you will never be aware of what data is collected - they want to collect more data and never disclose it
- you will never be able to opt-out. Even if you disconnect from cellular, at service time they will just download what is there.
- car manufacturers will use any and all data to their benefit
You know, here's an interesting story I remember reading:
I will give you a story - buddy owns a shop - buys new M5 - he went out joyriding - warped a rotor - he said it was not from him so he tried a warranty service - BMW printed a page that his car recorded. It had snapped a pic of his face and sent all the data on speed, location, etc every bit of data you can think of to the dealer and his insurance company. He sold the car. That was years ago. Ask any custom tuner today if they can touch a 22 BMW. Nope. It will disable the car if you try and get into the CPU to tune it. This is where the industry is heading
from: https://www.fordtremor.com/threads/disabling-the-modem-pulli...
The automotive example shows how even "non-tech" products now collect and transmit data. Each service creates another attack surface, another set of credentials to manage, another potential breach vector.
What's frustrating is that breach response still falls on individuals. When one of these services gets compromised, it's users who have to scramble to change passwords across potentially hundreds of connected accounts. The "change your password" advice is good but wildly impractical at scale.