Let’s be 100% clear, all of these cars with “smart” features are collecting your data and selling it. Insurance companies are also buying this information and using it to raise premiums if they determine you a “bad drive.” Also this could reveal info such as where you live if anyone is determined enought depending on the info if stores (such as geolocation data).
Basically I’m saying wrap your car in tinfoil
Hmm. Is there a faraday vinyl I can wrap my car in?
Or, alternatively, would the pelts of tech billionaires offer any protection?
Or just pull the fuse to the antenna?
Are antennas usually behind a fuse?
Mine was, it’ll be called OnStar in the manual.
Here’s a post with a pic https://sh.itjust.works/post/16735052
Ah, pretty sure that’d be the whole OnStar transceiver, too (which isn’t a bad thing to disable…).
I thought the antenna itself was behind a fuse (as in, feedline has an online fuse) which would be a peculiar design I think.
No, you’d never put a fuse between transceiver and antenna.
I live in a small, rural community. The county sheriff’s department just announced how they bought the GPS tracking data for every vehicle in the county and how it’s going to “help calm traffic because they can predict where people are going to be speeding and can have an officer waiting”
The pre-crime department is starting and no one batted an eye.
Every time I hear something like this I’m glad I bought an old car without any connectivity.
My car is a 2012, I’ll be holding onto it until it falls apart.
Same, for now. Although, we have two ICE vehicles and want to swap to electric. I haven’t looked, but I can’t imagine there’s a great selection of electric, but ‘dumb’ in the US, considering GPS was mandatory for new vehicles in … 2016, I think?
I’ve also heard people say you can just pull the fuse for the GPS, but I’m still skeptical.
You can choose om the software if you want location services or not, but everyone leaves it on. This is what is leaked. If you turn it off it doesn’t report in location centrally at all.
Just let the car deduct the points from my licence automatically already.
USA?
Basically I’m saying wrap your car in tinfoil
and don’t ever let diagnostic tools with network access be connected to it. just as well could say never bring it to service, which is not really possible
At this point, just get a bicycle without a battery.
Of course, sometimes you need to move heavy stuff and there’s nothing you can do about it, bu I tend to save enough, not owning a car/motorbike that I can afford to pay for a pickup on those occasions.
Looking at the map, assuming these models aren’t for sale in Poland, Czech and so forth?
Maybe Skoda wasn’t part of it, that’s the most sold brand in Czechia and Slovakia
Has someone located the frequent visitors of “houses of ill repute” yet?
The republicans are on it in the US, but now they call them drag shows.
…and hospitals.
…and of course no severe consequences for Volkswagen, all Europe is only like “whooops,…anyways…”
Have you not been paying attention to GDPR courts? The fines are usually in the hundreds of millions of Euros.
https://m.youtube.com/watch?v=1YljaxN7fAE
Watch this and you will find out that these fines are almost never paid, at around 20min in
I mean this just went public so idk, trials might take a while, but yeah i agree probably no consequences.
Not just Europe, everywhere. Look at all the breaches, every day.
Until those breaches cost companies serious money, they won’t do anything about it.
I just got a notice that a place I worked 12 years ago got breached and my info like full name and social was in it.
Cool. Idk why they even kept info that far back…
A Volkswagen id4 was the best choice I had from work (Belgian companies give company cars for personal use as perks because of tax benefits).
I completely disagreed to all terms involving internet access in the vehicle, but I have no doubt they are tracking me without my consent too…
Sounds like you could start a lawsuit!
If they are, make a complaint to your local governing body. See if they’ll investigate it. Because it’s not okay for them to agree to terms for you or to try to end around the agreement you made.
There’s no way to know though…
Sure there is. Most people don’t have the hardware handy to do it, but at the end of the day it’s just a computer sending IPv4 traffic through an LTS cellular modem to an S3 bucket.
And if you know your car’s UDID you can probably look it up in said S3 bucket, since it was open to the public.
You are aware that encryption exists, right?
And the decryption key is stored… where?
Sure, they COULD be using a TPM in the cars and PKI so that having the public key still only lets them encrypt the data and not decrypt it… but in that case, we wouldn’t have this article, because they’d have properly secured the data.
Since they only really value that telemetry in bulk and have to foot the compute bill, I’m pretty confident they don’t actually do that, but instead depend on the S3 bucket and the connections to it being encrypted.
Take your car into a dealer and ask them if the modem is connected. Frame is as you think it’s malfunctioning and they’ll look to see.
I mean, they could disconnect it for you, but there’s still no way to know if it’s been transmitting data you don’t want it to in the meantime
“Accidentally”
From what a gathered, it was the classic misconfigured AWS S3 Bucket. It’s criminal how AWS still makes the default configuration insecure.
It was also the classic “collecting the information to begin with,” and it’s criminal how that is allowed, too.
It doesn’t default insecure anymore and it bitches at you when you try to make it public.
My bet would be that It was either a pre-existing bucket, or some team put a “temporary” measure in (making it public) instead of using the API to pull the data until they got around to implementing it correctly.
The default for net new buckets is actually very strict.
But it’s that strictness that makes devs just to open it up to everyone and not learn proper IAM syntax.
The unfortunate part is that AWS made rules and privileges so nuanced and detailed that it makes people want to make everything public and deal with it “later”.
How do people end up finding them? Don’t they have random UUIDs in the URL? Or are they predictable?
All you have to do is monitor the network traffic and then scan any AWS subdomains/IPs that pop up.
[edit] this makes me think… it’s not really possible for a secure connection from all of VW’s vehicles to an S3 bucket, is it? Anyone can pull the key from any of the millions of vehicles making the connection.
You could secure it using an IAM user with credentials but then those credentials would be available on all vehicles.
If the vehicles had direct access to S3, maybe that’s why the bucket was public? But you could also just leave it available to the public.
But if that was the design, you should sweep the bucket on a regular basis to make sure there aren’t any objects over x hours old or something like that.
Bucket names are often committed to GitHub. It used to be that bucket names could be published but ever since the blog post of the guy getting fucked by people polling his bucket due to an open source project typo made others realize that bucket names should probably be secrets.
There are bots that will just monitor all public commits to github, gitlab, etc. for AWS credentials and other strings like that. And as soon as they are found they will start to abuse them.
blog post of the guy getting fucked by people polling his bucket due to an open source project typo
Was it this one?: https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1
GDPR/DORA monies when?
I would love to know how to disable telemetry on my own hard drive on wheels or at worst prevent it from phoning home. Mozilla did a great job bringing this issue to light but now we need actionable solutions that don’t rely on governments passing laws
I don’t get why they feel the need to keep it a secret.
Google takes GeoLocation data with maps and people happily use it. I even put reviews for places I go to.If they were to just be above board about it while selling the stuff, they would have much happier customers and they could even get some legitimate use out of the data, like traffic status that Google does.
I’m not a fan of Google, but must say, they definitely managed to do better in this regard.
Obviously… It’s anti-libre software. It fails to include a libre software license text file, like GPL. We do not control it.
Anyone that has owned a recent VW, knew this was true. I would get text messages from my local dealer anytime I was close to needing an oil change.
Wouldn’t that just be a time based notification rather then dependent on any privacy invading metrics?
Not from my experience. I went from driving the car like 30000 miles a year to like 5000, the text messages were always about right on time for my services based on miles driven. Clearly the car was reporting to VW in some way routinely.
That’s so weird! Just like when my dentist calls me to an appointment when I’ve had a cavity for six years! Incredible! Just when I need to fill it!
Is there a company yet that let’s me pay them to internet disconnect and rip out sensors on a modern car?
Dacia doesn’t have that crap. They only have the mandatory SOS system.
BTW, if someone has a way to rip that system out, please share
Do they make an electric car that doesn’t have such sensors (eg cabin microphone) and doesn’t have internet access?
They do, the Dacia Spring has nothing like that if I’m not wrong
Edit: just checked, and it seems they added all the connected big screens crap, my bad
I don’t know about electric but the regular ones are available in basic versions without internet and “luxury” ones with all that crap
Accidentally, lol. The point was to mine and sell the data, wasn’t it? Not exactly private.
The made public part is the accidental
“Accidentally” is the new “through incompetence”
Negligence. Volkwagen can afford competence, but chose not to invest in it.