67 comments

[ 3.1 ms ] story [ 72.4 ms ] thread
No doubt about this one. But, how much are the ubiquitous ride-for-hire e-scooters spying on you, and everyone else on the street?
IIRC, Massachusetts passed a right-to-repair law a few years ago. Based upon the text of the law, all new cars purchased there have the spying disabled because they did not want to give up their proprietary info.

There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.

So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?

Is there anything we can do about it short of avoiding new cars? Our legislators have proven unwilling to pass real privacy laws.
Remove the antennas. Do not give in to the mirage of convenience.

Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.

Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.

TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.

Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.

Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?

No, I will use all this stuff and do so gladly.
Yeah that’s great if you’re a CIA intelligence officer but what normal person can do this and still function in the modern world? Do the people who say this stuff leave their homes regularly?

And what’s the benefit of it all? Fewer targeted ads?

I like the rest of the comment, but...

>Did you know Orange dash error lights are non critical?

That's not even remotely true for most cars. One of the most critical alarms you can get in a car is a flashing check engine light, which are usually orange.

Those are usually red, although I don’t know if it’s actually SAE standard or not, I’ve only worked for one automotive company (and we made them red)
I’ve driven a lot of different cars around the world and nearly all check engine lights are orange. Almost all the Google image search results are orange. To be sure I checked the most popular ICE car models worldwide: Toyota Corolla, Toyota Rav4, Ford F-series, Honda CR-V, Chevrolet Silverado. All of those use orange. In fact, the only red CEL that I’ve ever seen is on Minis and BMWs - not the actual physical indicator (which is orange!) but the mini-LED screen warnings.
Ah, interesting! Yeah I worked for BMW (which owns Mini Cooper now). Guess my experience was not universal.
A 2013 Chevy Volt has a camera on the dashboard pointed at the driver. The entertainment dashboard has a dozen communication options, including those for safety? Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized? Was it automakers emboldened by the acceptance of cell phone central record keeping?
My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.

The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.

I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.

For anyone else confused, Diagnostic Trouble Codes (DTCs). Automotive context
Can't you just turn off "Connected Services" in the menu?

I have been canceling that stupid warning message it presents when leaving it off, every day for several years now.

Here is something else you can do about it. By an older low mileage car. If we all did that the manufacturers would change tack soon enough
Not driving seems to have worked pretty well thus far.
The problem is a lot of the features of these cars require you to opt into giving your privacy away. And when you’re shopping it’s not clear where that line is.
The car data collection story is concerning, but it's part of a broader pattern: credentials and personal data are scattered across dozens of services we interact with daily.

The automotive example shows how even "non-tech" products now collect and transmit data. Each service creates another attack surface, another set of credentials to manage, another potential breach vector.

What's frustrating is that breach response still falls on individuals. When one of these services gets compromised, it's users who have to scramble to change passwords across potentially hundreds of connected accounts. The "change your password" advice is good but wildly impractical at scale.

Is all of this data collection from the driving aids actually us doing R&D for their autonomous car projects?
Disabling the hardware can be really hard, my 2025 Toyota Sienna is always connected. You can't just pull a fuse or rip out an antenna, I have to take the entire dashboard apart to reach the Data Communication Module (DCM) module. If anyone's curious what that looks like, it's a little bit easier on the Toyota Tacoma, here are some pictures of the process: https://www.tacoma4g.com/forum/threads/disabling-dcm-telemat...

It's complex enough that I haven't done it yet in my Sienna, but I plan to!

I went to Carvana to get some idea on what my car might be worth. I gave them the license plate, and it gave me a questionnaire about specific trim and options along with asking about the current mileage. I couldn't remember the exact figure so I guessed rounded to the thousand. The app complained and wouldn't take it as they knew the mileage which was some 150ish miles more. Apparently my car has reported the mileage last time I drive it, which has been about an hour before.

Carvana knew exactly how many miles I had driven within an hour of me driving my car.

I'd like to see a website that ranks vehicles by make and model. That would influence shopping behaviors, and consumers would influence manufacturer behaviors.
nothing. And banning ALPR wont fix anything either. All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system. you don't even need a camera, just a radio receiver.
Checked how to receive those with SDR. Turns out they are very low power and you need to basically touch the tire. Also the transmit in minute intervals. Bit exactly a a smoking gun in terms of mass surveillance.
I have an RTL-SDR rig with the stock tiny omni antenna in a second story of a building adjacent a public parking lot. I'm using rtl433 and I am able to reliably pick up TPMS from the lot. I've never done any testing to see what the metes and bounds of my reception are, but it's definitely not touching the tire. My rig is at least 30 feet away from the closest parking spot.
I won't mince words. This is criminal and should be dealt with that way. It is obvious I don't want my information collected and sold. I make it clear every reasonable chance I get. This goes beyond abuse of my privacy, this is digital assault and the company officers that allowed these 'features' should be thrown in jail for it.
so ya!

My house is fairly close((125') to a rural "highway", and only internet here is mobile data that my phone shares with other devices and mornings(anytime) my older desktop with 2.5 ghz wifi gets bumped off with the passing of every car that has glaring supper white headlights,but, not the ones running yellow incandecents, whatever rf signal is comming of these things must be barely, or completly illegal, and could obviously be tracked in any number of ways, so not so much bieng spied on, as just flat out trasmitting everything you do in ridiculously fine grained detail.

The problem is that with Flock, you’re basically being tracked incessantly anyways, so who cares if the automaker also does it?
(comment deleted)
How do you write an article about this and not mention the GDPR or EU privacy laws?

>"It’s hard to figure out exactly how much data a modern car is collecting on you"

You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".

BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.

I have an electric car and if I want to remotely turn on charging, it won’t allow me unless the full data sharing option is enabled. Full data as in your driving data like a black box logger. I then have to go in the car, enable it, then I can remotely turn on charging. I have to remember to opt-out again later. Ironic I know because I can turn on charging from within the cabin without having to enable any of the data collection. What an inconvenient experience.
So you're telling me that simply walking out to the car and hitting a button inside the car is just too much of an "inconvenient experience"?

You know we used to have to drive the car... sometimes many miles... to a station, get out, and fill it up with a liquid fuel that costs many times more, and then drive home...

Seriously now- The perceived 'inconvenience' you have is the reason that so many of these connected features are being pushed and then the because the ability is there the business types can't resist the data gathering that became possible because of all the antennas, etc.

Amazingly but perhaps not surprisingly, cars in the EU do similar amounts of spying on you, but the EU is silent. Car manufacturers pretty much run the EU.
Because the government wants the tracking. They want your car broadcasting its position.
(comment deleted)
I wonder what the extremely rich do to get a car that isn’t a security risk? I’ve heard you can throw money at high end car dealerships to disable spying, but I wonder what the internal process is.
as a professional diesel mechanic for a small chain of midwest shops, this "telematics" feature is on long-haul trucks as well as tractors (john deer is notorious for using it to send mail marketing about services.)

generally its not hard to disable.

- identify the telematics module in your car - pull the fuse (not always an option, sometimes this disables bluetooth)

- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.

Connecting to a dummy load is a pretty good idea I hadn't thought of (usually I just disconnect the cellular module).
The Toyota community has been far down that road with the DCM module in the new gen cars and found that the car still managed to get updates out to Toyota even with 50 ohm terminating resistors in the antenna connectors: https://www.tacomaworld.com/threads/simpler-solution-for-dis... (see the posts by user "Disgruntled Scientist").

Unfortunately simply cutting power to the telematics module also disables the in-car microphone for handfree calling. Fully disabling telematics involves making a bypass harness that re-routes the microphone and speaker signals past the disabled DCM module.