Couple of months prior, I read an article on Mozilla, where they did a research on automakers and found none comply to good privacy measures. I am planning to buy a used car. I want to know how the data is collected and transmitted.
The car comes with a connected app though I am not planning to use it. It also has apple car play and android auto. Should I use those? The article states some manufacturers even records sexual activities. How are they transmitting these informations? Through connected phones?
My use is fairly basic, I want to use the Bluetooth audio system in the car for listening to music on my phone. I use maps on my phone.
What about car servicing? Can they access stored information?
If you drive a Toyota and the infotainment system has a “DCM” icon in the corner, your driving habits and location are being recorded to their servers.
E: this is happening via their own cellular modem built into the vehicle, with its own separate SIM or eSIM. Getting at the module seems to require access behind the dash, almost purposely making it difficult. Pulling the fuse will kill the front passenger-side speaker, though there are YouTube vids on how to reactivate the speaker while keeping the DCM module dead.
How are they connecting to the server, though the connected phone’s data via Bluetooth, carplay or satellites?
The people saying it uses your phone’s Internet connection are incorrect. The vehicles have built in cellular modems and connect directly. The OEMs negotiate cellular contracts to provide service in their vehicles with ATT, Verizon, etc.
Features like remote locking/unlocking, etc. would not work if it relied on being connected to a phone.
There was a Defcon talk a few years ago (oh god it was 8 years ago) where someone found a way mess with Chryslers because they were all on the Sprint wireless network. Things like lock out the physical controls on the radio then max out the volume, or turn it into a GPS tracker, or disable the brakes! The cars had some service listening on port 6667, there was no way to stop them from accepting malicious connections so Sprint just blocked all traffic on that port on their network at the request of Chrysler. The speaker mentioned they were sorry if you were unable to use IRC any more on Sprint wireless.
DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle
