Reports like this make me thankful for the simplicity of my plain jane 2003 Jeep Wrangler. There is a minimum of technology in my 5 speed manual transmission Jeep (it's a Jeep, shouldn't be an automatic) and thankfully there is nothing wrong with it so I am not looking to replace it. From The Daily Wire followed by much more disturbing details in The Washington Post article.....
Washington Post Hacks Into Chevy To Show How Much Cars Are Spying On Owners
DECEMBER 26TH, 2019
DailyWire.com
The Washington Post hacked into a Chevy Volt several days ago with the help of a automotive technology expert to find out just how much automakers are spying on their owners and discovered that vehicles are recording their owners’ every move.
The Post used a 2017 Chevy Volt for its experiment and learned that the car collected a wide range of highly precise data ranging from the vehicles location to information about the driver’s cell phone, including call records — noting that many vehicles copy over personal data the moment that a smart phone is plugged into the vehicle.
The Post noted that the Chevy Volt did not inform drivers what information it was recording and did not make mention of it in the owner’s manual since there are no federal regulations protecting consumer’s privacy and data from automakers.
The Post went to Jim Mason, who has a PhD in engineering and reconstructs car accidents for a living by hacking into vehicles, for help hacking into the Chevy Volt.
Mason focused on hacking into the car’s infotainment system since it was the easiest computer, out of several computers in the vehicle, to physically get to inside the car.
After having to take a bit of the car apart to reach the computer, The Post found that Chevy collected the following information:
There on a map was the precise location where I’d driven to take apart the Chevy. There were my other destinations, like the hardware store I’d stopped at to buy some tape.Among the trove of data points were unique identifiers for my and Doug’s phones, and a detailed log of phone calls from the previous week. There was a long list of contacts, right down to people’s address, emails and even photos.For a broader view, Mason also extracted the data from a Chevrolet infotainment computer that I bought used on eBay for $375. It contained enough data to reconstruct the Upstate New York travels and relationships of a total stranger. We know he or she frequently called someone listed as “Sweetie,” whose photo we also have. We could see the exact Gulf station where they bought gas, the restaurant where they ate (called Taste China) and the unique identifiers for their Samsung Galaxy Note phones.
The Post noted that GM would not reveal what information it was collecting on drivers and that the other computers in the vehicle, including the infotainment computer, collect far more information than what Mason was able to pull up.
The vehicle also collected information on “acceleration and braking style, beaming back reports to its maker General Motors over an always-on Internet connection,” The Post added. “Coming next: face data, used to personalize the vehicle and track driver attention.”
The Post reported that 20 automakers pledged in 2014 to voluntarily adhere to privacy standards that protected consumers privacy by protecting their data — although none of the 20 automakers followed through on their promises.
As 5G cellular technology becomes integrated into cars in the future it will become even more important for Americans to advocate for their privacy rights as China’s potential entry into 5G markets in the U.S. is a significant national security threat for the U.S.
Fears that vehicles could be hacked and taken over by someone outside the vehicle who has a sinister intent are not only legitimate, they are well-rooted in reality because it has happened.
In July 2015, The Washington Post reported on one such criminal instance:
The complaints that flooded into Texas Auto Center that maddening, mystifying week were all pretty much the same: Customers’ cars had gone haywire. Horns started honking in the middle of the night, angering neighbors, waking babies. Then when morning finally came, the cars refused to start.The staff suspected malfunctions in a new Internet device, installed behind dashboards of second-hand cars, that allowed the dealership to remind customers of overdue payments by taking remote control of some vehicle functions. But a check of the dealership’s computers suggested something more sinister at work: Texas Auto Center had been hacked. …… Police later reported more than 100 victims and charged a former dealership employee with computer crimes. ……Widespread hacks on cars and other connected devices are destined to come, experts say, as they already have to nearly everything else online. It’s just a question of when the right hacking skills end up in the hands of people with sufficient motives.
Also in 2015, Andy Greenberg wrote at Wired about how his Jeep was completely taken over by Charlie Miller and Chris Valasek, who hacked the vehicle as part of an experiment to which Greenberg agreed. Greenberg wrote:
I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold.Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. …… Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
The hackers were able to completely kill the transmission on the vehicle from miles away as it drove on the freeway, which is less than they did to Greenberg two years prior in 2013 when they “disabled [the] brakes, honked the horn, jerked the seat belt, and commandeered the steering wheel” on a couple of different vehicles that they had Greenberg drive.
WikiLeaks released a trove of documents in 2017 that revealed that the U.S. government has extremely sophisticated hacking tools that it can use to spy on people through televisions, smartphones, and even anti-virus software.
“Tucked into WikiLeaks’ analysis of a trove of documents allegedly from the Central Intelligence Agency is a stunning line: That the agency has looked into hacking cars, which WikiLeaks asserts could be used to carry out ‘nearly undetectable assassinations,'” The Washington Post reported.
What does your car know about you? We hacked a Chevy to find out.
Dec. 17, 2019 at 7:00 a.m. EST
Cars have become the most sophisticated computers many of us own, filled with hundreds of sensors. Even older models know an awful lot about you. Many copy over personal data as soon as you plug in a smartphone.
But for the thousands you spend to buy a car, the data it produces doesn’t belong to you. My Chevy’s dashboard didn’t say what the car was recording. It wasn’t in the owner’s manual. There was no way to download it.
To glimpse my car data, I had to hack my way in.
We’re at a turning point for driving surveillance: In the 2020 model year, most new cars sold in the United States will come with built-in Internet connections, including 100 percent of Fords, GMs and BMWs and all but one model Toyota and Volkswagen. (This independent cellular service is often included free or sold as an add-on.) Cars are becoming smartphones on wheels, sending and receiving data from apps, insurance firms and pretty much wherever their makers want. Some brands even reserve the right to use the data to track you down if you don’t pay your bills.
When I buy a car, I assume the data I produce is owned by me — or at least is controlled by me. Many automakers do not. They act like how and where we drive, also known as telematics, isn’t personal information.
Cars now run on the new oil: your data. It is fundamental to a future of transportation where vehicles drive themselves and we hop into whatever one is going our way. Data isn’t the enemy. Connected cars already do good things like improve safety and send you service alerts that are much more helpful than a check-engine light in the dash.
But we’ve been down this fraught road before with smart speakers, smart TVs, smartphones and all the other smart things we now realize are playing fast and loose with our personal lives. Once information about our lives gets shared, sold or stolen, we lose control.
There are no federal laws regulating what carmakers can collect or do with our driving data. And carmakers lag in taking steps to protect us and draw lines in the sand. Most hide what they’re collecting and sharing behind privacy policies written in the kind of language only a lawyer’s mother could love.
Car data has a secret life. To find out what a car knows about me, I borrowed some techniques from crime scene investigators.
What your car knows
Jim Mason hacks into cars for a living, but usually just to better understand crashes and thefts. The Caltech-trained engineer works in Oakland, Calif., for a firm called ARCCA that helps reconstruct accidents. He agreed to help conduct a forensic analysis of my privacy.
I chose a Chevrolet as our test subject because its maker GM has had the longest of any automaker to figure out data transparency. It began connecting cars with its OnStar service in 1996, initially to summon emergency assistance. Today GM has more than 11 million 4G LTE data-equipped vehicles on the road, including free basic service and extras you pay for. I found a volunteer, Doug, who let us peer inside his two-year-old Chevy Volt.
I met Mason at an empty warehouse, where he began by explaining one important bit of car anatomy. Modern vehicles don’t just have one computer. There are multiple, interconnected brains that can generate up to 25 gigabytes of data per hour from sensors all over the car. Even with Mason’s gear, we could only access some of these systems.
This kind of hacking isn’t a security risk for most of us — it requires hours of physical access to a vehicle. Mason brought a laptop, special software, a box of circuit boards, and dozens of sockets and screwdrivers.
We focused on the computer with the most accessible data: the infotainment system. You might think of it as the car’s touch-screen audio controls, yet many systems interact with it, from navigation to a synced-up smartphone. The only problem? This computer is buried beneath the dashboard.
After an hour of prying and unscrewing, our Chevy’s interior looked like it had been lobotomized. But Mason had extracted the infotainment computer, about the size of a small lunchbox. He clipped it into a circuit board, which fed into his laptop. The data didn’t copy over in our first few attempts. “There is a lot of trial and error,” said Mason.
(Don’t try this at home. Seriously — we had to take the car into a repair shop to get the infotainment computer reset.)
It was worth the trouble when Mason showed me my data. There on a map was the precise location where I’d driven to take apart the Chevy. There were my other destinations, like the hardware store I’d stopped at to buy some tape.
Among the trove of data points were unique identifiers for my and Doug’s phones, and a detailed log of phone calls from the previous week. There was a long list of contacts, right down to people’s address, emails and even photos.
For a broader view, Mason also extracted the data from a Chevrolet infotainment computer that I bought used on eBay for $375. It contained enough data to reconstruct the Upstate New York travels and relationships of a total stranger. We know he or she frequently called someone listed as “Sweetie,” whose photo we also have. We could see the exact Gulf station where they bought gas, the restaurant where they ate (called Taste China) and the unique identifiers for their Samsung Galaxy Note phones.
Infotainment systems can collect even more. Mason has hacked into Fords that record locations once every few minutes, even when you don’t use the navigation system. He’s seen German cars with 300-gigabyte hard drives — five times as much as a basic iPhone 11. The Tesla Model 3 can collect video snippets from the car’s many cameras. Coming next: face data, used to personalize the vehicle and track driver attention.
In our Chevy, we probably glimpsed just a fraction of what GM knows. We didn’t see what was uploaded to GM’s computers, because we couldn’t access the live OnStar cellular connection. (Researchers have done those kinds of hacks before to prove connected vehicles can be remotely controlled.)
My volunteer car owner Doug asked GM to see the data it collected and shared. The automaker just pointed us to an obtuse privacy policy. Doug also (twice) sent GM a formal request under a 2003 California data law to ask who the company shared his information with. He got no reply.
GM spokesman David Caldwell declined to offer specifics on Doug’s Chevy but said the data GM collects generally falls into three categories: vehicle location, vehicle performance and driver behavior. “Much of this data is highly technical, not linkable to individuals and doesn’t leave the vehicle itself,” he said.
The company, he said, collects real-time data to monitor vehicle performance to improve safety and to help design future products and services.
But there were clues to what more GM knows on its website and app. It offers a Smart Driver score — a measure of good driving — based on how hard you brake and turn and how often you drive late at night. They’ll share that with insurance companies, if you want. With paid OnStar service, I could, on demand, locate the car’s exact location. It also offers in-vehicle WiFi and remote key access for Amazon package deliveries. An OnStar Marketplace connects the vehicle directly with third-party apps for Domino’s, IHOP, Shell and others.
The OnStar privacy policy, possibly only ever read by yours truly, grants the company rights to a broad set of personal and driving data without much detail on when and how often it might collect it. It says: “We may keep the information we collect for as long as necessary” to operate, conduct research or satisfy GM’s contractual obligations. Translation: pretty much forever.
It’s likely GM and other automakers keep just a slice of the data cars generate. But think of that as a temporary phenomenon. Coming 5G cellular networks promise to link cars to the Internet with ultra-fast, ultra-high-capacity connections. As wireless connections get cheaper and data becomes more valuable, anything the car knows about you is fair game.
Protecting yourself
GM’s view, echoed by many other automakers, is that we gave them permission for all of this. “Nothing happens without customer consent,” said GM’s Caldwell.
When my volunteer Doug bought his Chevy, he didn’t even realize OnStar basic service came standard. (I don’t blame him — who really knows what all they’re initialing on a car purchase contract?) There is no button or menu inside the Chevy to shut off OnStar or other data collection, though GM says it has added one to newer vehicles. Customers can press the console OnStar button and ask a representative to remotely disconnect.
What’s the worry? From conversations with industry insiders, I know many automakers haven’t totally figured out what to do with the growing amounts of driving data we generate. But that’s hardly stopping them from collecting it.
Five years ago, 20 automakers signed on to volunteer privacy standards, pledging to “provide customers with clear, meaningful information about the types of information collected and how it is used,” as well as “ways for customers to manage their data.” But when I called eight of the largest automakers, not even one offered a dashboard for customers to look at, download and control their data.
Automakers haven’t had a data reckoning yet, but they’re due for one. GM ran an experiment in which it tracked the radio music tastes of 90,000 volunteer drivers to look for patterns with where they traveled. According to the Detroit Free Press, GM told marketers that the data might help them persuade a country music fan who normally stopped at Tim Horton’s to go to McDonald’s instead.
GM would not tell me exactly what data it collected for that program but said “personal information was not involved” because it was anonymized data. (Privacy advocates have warned that location data is personal because it can be re-identified with individuals because we follow such unique patterns.)
GM’s privacy policy, which the company says it will update before the end of 2019, says it may “use anonymized information or share it with third parties for any legitimate business purpose.” Such as whom? “The details of those third-party relationships are confidential,” said Caldwell.
There are more questions. GM’s privacy policy says it will comply with legal data demands. How often does it share our data with the government? GM doesn’t offer a transparency report like tech companies do.
Automakers say they put data security first. But I suspect they’re just not used to customers demanding transparency. They also probably want to have sole control over the data, given that the industry’s existential threats — self-driving and ride-hailing technologies — are built on it.
But not opening up brings problems, too. Automakers are battling with repair shops in Massachusetts about a proposal that would require car companies to grant owners — and mechanics — access to telematics data. The Auto Care Association says locking out independent shops could give consumers fewer choices and make us end up paying more for service. The automakers say it’s a security and privacy risk.
In 2020, the California Consumer Privacy Act will require any company that collects personal data about the state’s residents to provide access to the data and give people the ability to opt out of its sharing. GM said it would comply with the law but didn’t say how.
Are any carmakers better? Among the privacy policies I read, Toyota’s stood out for drawing a few clear lines in the sand about data sharing. It says it won’t share “personal information” with data resellers, social networks or ad networks — but still carves out the right to share what it calls “vehicle data” with business partners.
Until automakers put even a fraction of the effort they put into TV commercials into giving us control over our data, I’d be wary about using in-vehicle apps or signing up for additional data services. At least smartphone apps like Google Maps let you turn off and delete location history.
And Mason’s hack brought home a scary reality: Simply plugging a smartphone into a car could put your data at risk. If you’re selling your car or returning a lease or rental, take the time to delete the data saved on its infotainment system. An app called Privacy4Cars offers model-by-model directions. Mason gives out gifts of car-lighter USB plugs, which let you charge a phone without connecting it to the car computer. (You can buy inexpensive ones online.)
If you’re buying a new vehicle, tell the dealer you want to know about connected services — and how to turn them off. Few offer an Internet “kill switch,” but they may at least allow you turn off location tracking.
Or, for now at least, you can just buy an old car. Mason, for one, drives a conspicuously non-connected 1992 Toyota.
Read more from our Secret Life of Your Data series:
No comments:
Post a Comment