Technology

"Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)"

Such a statement about not selling data can be very misleading, because the essential statement of saying "we do not share your location data" does not seem to have been made! Please, let us stop falling for the trick of companies saying that they do not sell our data as somehow equating to them respecting our privacy, because it is not an equivalence.

“While we worried that our doorbells and watches that connect to the Internet ~~might be~~ [are] spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla's report reads.

“People are being tracked in ways that they have no idea are happening.”

https://archive.is/9dIdu

"the minute you hook up your phone to Bluetooth, it automatically downloads all the information off your phone, which is sent back to the vehicle manufacturer."

"if you want to protect the data on your phone, don't connect it to the car."

Good to know if I ever need to find out where my lesbian cousin is.

Remember when hyundais could be unlocked with just a usb cable and a phone? And hyundai wanted people to pay for the fix after breaking into hyundais became a trend on tiktok.

Nobody’s mentioned that the vulnerability was “immediately” fixed (within 24h according to a comment on a related post in the cybersecurity community). Like, the fact that this is even possible to begin with is obviously bullshit, and makes me wish I’d ripped the starlink box out of my car, but this is not the rampant and actively exploited thing that the headline would have me believe it is.

It's so frustrating that if you buy a modern car you have to give up any semblance of privacy

Someone is going to exploit this to make a great lesbian dating app

This just makes me glad I removed the starlink box from my outback the first month I got the car.

If anyone wants to do the same in my 2018 (most gen 5s should be the same) you remove the radio and the starlink box is inside it. Removing the box breaks your front speakers and microphone. A simple passive pigtail will fix the speakers, but the microphone needs power. I found a guy online who made the active adapter so it was purely plug and play.

We should all start asking around our local auto shops that handle software and ask if they disable gps or internet services.

It's not illegal to modify your own vehicle (yet) so jailbreaking these shitty cars would be an awesome service.

Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

Yeah, this kinda bothers me with computer security in general. So, the above is really poor design, right? But that emerges from the following:

• Writing secure code is hard. Writing bug-free code in general is hard, haven't even solved that one yet, but specifically for security bugs you have someone down the line potentially actively trying to exploit the code.

• It's often not very immediately visible to anyone how actually secure code code is. Not to customers, not to people at the company using the code, and sometimes not even to the code's author. It's not even very easy to quantify security -- I mean, there are attempts to do things like security certification of products, but...they're all kind of limited.

• Cost -- and thus limitations on time expended and the knowledge base of whoever you have working on the thing -- is always going to be present. That's very much going to be visible to the company. Insecure code is cheaper to write than secure code.

In general, if you can't evaluate something, it's probably not going to be very good, because it won't be taken into account in purchasing decisions. If a consumer buys a car, they can realistically evaluate its 0-60 time or the trunk space it has. But they cannot realistically evaluate how secure the protection of their data is. And it's kinda hard to evaluate how secure code is. Even if you look at a history of exploits (software package X has had more reported security issues than software package Y), different code gets different levels of scrutiny.

You can disincentivize it via market regulation with fines. But that's got its own set of issues, like encouraging companies not to report actual problems, where they can get away with it. And it's not totally clear to me that companies are really able to effectively evaluate the security of the code they have.

And I've not been getting more comfortable with this over time, as compromises have gotten worse and worse.

thinks

Maybe do something like we have with whistleblower rewards.

https://www.whistleblowers.org/whistleblower-protections-and-rewards/

• The False Claims Act, which requires payment to whistleblowers of between 15 and 30 percent of the government’s monetary sanctions collected if they assist with prosecution of fraud in connection with government contracting and other government programs;
• The Dodd-Frank Act, which requires payment to whistleblowers of between 10 percent and 30 percent of monetary sanctions collected if they assist with prosecution of securities and commodities fraud; and
• The IRS whistleblower law, which requires payment to whistleblowers of 15 to 30 percent of monetary sanctions collected if they assist with prosecution of tax fraud.

So, okay. Say we set something up where fines for having security flaws exposing certain data or providing access to certain controls exist, and white hat hackers get a mandatory N percent of that fine if they report it to the appropriate government agency. That creates an incentive to have an unaffiliated third party looking for problems. That's a more-antagonistic relationship with the target than normally currently exists -- today, we just expect white hats to report bugs for reputation or maybe, for companies that have it, for a reporting reward. This shifts things so that you have a bunch of people effectively working for the government. But it's also a market-based approach -- the government's just setting incentives.

Because otherwise, you have the incentives set for the company involved not to care all that much, and the hackers out there to go do black hat stuff, things like ransomware and espionage.

I'd imagine that it'd also be possible for an insurance market for covering fines of this sort to show up and for them to develop and mandate their own best practices for customers.

The status quo for computer security is just horrendous, and as more data is logged and computers become increasingly present everywhere, the issue is only going to get worse. If not this, then something else really does need to change.