Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Mozilla Security The Internet Transportation

Internet-Connected Cars Fail Privacy and Security Tests Conducted By Mozilla (gizmodo.com) 26

According to Mozilla's *Privacy Not Included project, every major car brand fails to adhere to the most basic privacy and security standards in new internet-connected models, and all 25 of the brands Mozilla examined flunked the organization's test. Gizmodo reports: Mozilla found brands including BMW, Ford, Toyota, Tesla, and Subaru collect data about drivers including race, facial expressions, weight, health information, and where you drive. Some of the cars tested collected data you wouldn't expect your car to know about, including details about sexual activity, race, and immigration status, according to Mozilla. [...] The worst offender was Nissan, Mozilla said. The carmaker's privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there's no details about how exactly that data is gathered. Nissan reserves the right to share and sell "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" to data brokers, law enforcement, and other third parties.

Other brands didn't fare much better. Volkswagen, for example, collects your driving behaviors such as your seatbelt and braking habits and pairs that with details such as age and gender for targeted advertising. Kia's privacy policy reserves the right to monitor your "sex life," and Mercedes-Benz ships cars with TikTok pre-installed on the infotainment system, an app that has its own thicket of privacy problems. The privacy and security problems extend beyond the nature of the data car companies siphon off about you. Mozilla said it was unable to determine whether the brands encrypt any of the data they collect, and only Mercedes-Benz responded to the organization's questions.

Mozilla also found that many car brands engage in "privacy washing," or presenting consumers with information that suggests they don't have to worry about privacy issues when the exact opposite is true. Many leading manufacturers are signatories to the Alliance for Automotive Innovation's "Consumer Privacy Protection Principles (PDF)." According to Mozilla, these are a non-binding set of vague promises organized by the car manufacturers themselves. Questions around consent are essentially a joke as well. Subaru, for example, says that by being a passenger in the car, you are considered a "user" who has given the company consent to harvest information about you. Mozilla said a number of car brands say it's the drivers responsibility to let passengers know about their car's privacy policies -- as if the privacy policies are comprehensible to drivers in the first place. Toyota, for example, has a constellation of 12 different privacy policies for your reading pleasure.

This discussion has been archived. No new comments can be posted.

Internet-Connected Cars Fail Privacy and Security Tests Conducted By Mozilla

Comments Filter:
  • by OrangeTide ( 124937 ) on Wednesday September 06, 2023 @05:47PM (#63828690) Homepage Journal

    The auto company doesn't care, they got your money. Unless there is something about the car that is going to cause death or injury, they aren't going to proactively deal with the issues. Anyone who has bought a BMW with the window trim falling off or other miscellaneous bullshit knows how important it is to get in line for warranty covered service. Good luck getting a warranty in this day and age that would recognize something as vague as internet security flaws.

  • by ve3oat ( 884827 ) on Wednesday September 06, 2023 @06:49PM (#63828826) Homepage
    I bought (new) and drive a 2020 Toyota Corolla Hybrid, which I would like to think is not so bad for privacy. We have never connected any of our phones to the car's system, and the car's infotainment system does not include a GPS (we use our own Garmin device, not connected to the car except for power). I wonder if I am being too optimistic in thinking that the car doesn't know where we drive or who we talk with.
    • yeah probably (Score:4, Interesting)

      by Anonymous Coward on Wednesday September 06, 2023 @08:51PM (#63828996)

      Wait for your first e-mail from the dealer that magically has an up-to-date mileage number in it.

      You know that scene from Total Recall where Arnold rips the tracker out of his nose? That's pretty much what you have to do. To get it out of a Subaru you have to pry the trim off, unbolt the head unit, pull it out, unplug the tattler (and ideally remove it entirely and trash it), insert a bypass plug (because a lot of stuff goes through it and won't work unless you patch it back together), then put everything back together again. Fun!

      • by bobby ( 109046 )

        Thanks, I hadn't heard all of that yet. My solution: keep older cars, and yes, I do all my own repairs. If I ever make enough $ to justify a new car, and I'm not too sure what I'd buy anyway, I'd have to find the "tattler" and disable it as you suggest.

        However, what happens when you take it in for dealer warranty / regular service? Aren't they going to know the tattler is disabled / missing and fix it?

        • However, what happens when you take it in for dealer warranty / regular service? Aren't they going to know the tattler is disabled / missing and fix it?

          No, but they might well refuse to fix something else that's connected to it. The warranty doesn't cover your modifications.

  • Once again (Score:4, Insightful)

    by Baron_Yam ( 643147 ) on Wednesday September 06, 2023 @06:51PM (#63828830)

    This type of behaviour should be grounds for murder, because I'm pretty sure anything less won't stop the constant march towards turning the 99.9% into property without rights.

    And while I'd be happy enough seeing the CEO down to upper management hanged in front of their headquarters, I would also be OK with that treatment going all the way down to the coders behind the system as well.

    YOU ARE HUMAN BEINGS. Stop accepting being treated like property to be exploited by the ultra-wealthy.

  • by PubJeezy ( 10299395 ) on Wednesday September 06, 2023 @06:55PM (#63828838)
    IOT is a massive threat to national security. Adding an internet connection makes a device less secure. Adding a persistent internet connection makes a device an active threat to your data.

    Being able to turn your air conditioner on before you get into the car is not worth ANY increased risk of car accidents or cyber-stalking. But that's really all they're offering us.
    • well sure there's a downside, but look on the bright side (dadum dadum deedum dadum;-) here's a modest proposal:

      all ECUs control the fuel/air mixture in realtime, so when the air contains unburned hydrocarbons, the ecu knows, as does anyone who has been coal-rolled https://en.wikipedia.org/wiki/... [wikipedia.org] or when followed an un-smogged muscle car or more frequently a chipped performance car...smell ya L8r-\ and don't forget _all_ cars spewed u.h.c. when we boomers were growing up:-( the rust-belt heavy-metal child

  • Methodology? (Score:4, Interesting)

    by bill_mcgonigle ( 4333 ) * on Wednesday September 06, 2023 @07:05PM (#63828846) Homepage Journal

    So ... it looks like they read online privacy policies of each brand and then said "creepy"?

    And they explain Acura uses the Honda privacy policy but Acura is scored much higher?

    What is going on here. I was hoping for something like Consumer Reports used to do.

  • At first I thought it was weird that Mozilla were testing cars, but then I realized they're experts both in privacy and, err... crashing
    • If Mozilla made cars, they would stop suddenly in the fast lane, then pause for somewhere around 30 seconds with an announcement "Restart car for upgrade"
  • But I am thinking of putting a Chinese Android stereo in it. The display on my stock one is a mess. Then it can spy on me.

  • by Zarhan ( 415465 ) on Thursday September 07, 2023 @12:07AM (#63829314)

    The carmaker's privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there's no details about how exactly that data is gathered

    Well, depends on what you are doing on the back seat. Car is stationary but suspension system still detects impulses...

    Anyway, on my Seat I was able to see all the info about the telematics box using OBD reader. I could just disable the eSIM altogether, but I preferred to just disable the incoming GPS signal. VAG group can collect my mileage and whether car doors are locked, but not where I've driven my car. (They posit that this could be used for finding your car if you forget where you parked it. No thanks, I'll find it on my own).

    I also tested that if I disable the uplink, the telematics module apparently caches *some* of the data, but not more than a few iterations. I guess it's for cases where you are outside of mobile network.

    Have to say, since I live in the EU and have to click through the cookie-consent stuff at every website, some being very detailed in what they collect and what you can toggle, why cannot the legislators draw up something similar for cars. When you first buy a car or factory reset the computer when you resell it, you would go through the data collection screen and opt-in. "Mileage and door locked status, sure. Location, not. Driving patterns, not".

    • Have to say, since I live in the EU and have to click through the cookie-consent stuff at every website, some being very detailed in what they collect and what you can toggle, why cannot the legislators draw up something similar for cars. When you first buy a car or factory reset the computer when you resell it, you would go through the data collection screen and opt-in. "Mileage and door locked status, sure. Location, not. Driving patterns, not".

      Why not a universal GDPR for any hardware, including vehicles, phones, microwave, washing machine, etc?

      Basically an explanation must be provided for every type of data collected and how it helps with the equipment working as designed. And with options to disable some types of data / all data from anything you buy. So you get to decide if you want to enable the GPS, but disable the sex monitoring stuff, for example.

  • In other news, French Cheese Fails Taste Tests Conducted By Oracle.

    Seriously, since when are Mozilla experts in things that aren't Web-related?

    • Because... they suck at the web browser development business, so they thought they would take some of the HUGE pile of money they have collected and spend it on things no one asked for. It falls under the heading of social activism, so it must be a good thing. And it gets their name in the headlines, so it is a valid advertising expense.

  • This means not many people will be interested anyways. Personally, I like my porn performed and filmed by people that have some level of a clue how to give a good show.

    • That's the rub. Er...

      Seriously though, what is it with all this amateur porn that looks like the people who made it have never seen porn before? Can't figure out either how to hold a camera OR where to point it.

      • by gweihir ( 88907 )

        No idea. Apparently some people have a fetish for that. The making of it, I mean, probably not so much the viewing of it.

  • It may upload data when antenna reconnected. By dealer plugging in a cable to odb port they can pull a lot of data. Certain data such as seat belt status is known by abs module. Before computers the speedo would log crash speed by sticking at the speed displayed during a crash. The last speed could be used by first responders to estimate injury and for police to investigate speeding causing a crash. That was mechanical so many old speedos do this.
    • Certain data such as seat belt status is known by abs module.

      You can get data out of the SRS module in operation but it probably doesn't store much. The standard is to store 30 seconds before and after an airbag is deployed.

      The infotainment, on the other hand, could be storing effectively any amount of logging data.

Technology is dominated by those who manage what they do not understand.

Working...