Remember when hyundais could be unlocked with just a usb cable and a phone? And hyundai wanted people to pay for the fix after breaking into hyundais became a trend on tiktok.
It is to see even og jap brand enshitifying…
Looking at your Honda and Toyota
This data mining business bullshit should be illegal. Their job is to make cheap and reliabt cars. Why are they selling my data to big tech?
Their job is literally to do things that make company profits. What fantasy land are you talking about? And what do I need to take to go there??
Is that what they told you in “college”
Nobody’s mentioned that the vulnerability was “immediately” fixed (within 24h according to a comment on a related post in the cybersecurity community). Like, the fact that this is even possible to begin with is obviously bullshit, and makes me wish I’d ripped the starlink box out of my car, but this is not the rampant and actively exploited thing that the headline would have me believe it is.
It’s so frustrating that if you buy a modern car you have to give up any semblance of privacy
I appreciate my 12 yr old car for this reason. Also, physical buttons I can hit without taking my eyes off the road
My 2021 Seat Leon has this idiotic panel on the semi underside of the dash on the left side of the steering wheel.
It controls the headlight modes, fog lights, and, most annoyingly, front and rear de-mist, all controlled by touch buttons.
So if you are driving and the windows are fogging up for some reason, you need to take your eyes off the road and carefully touch only the two buttons for de-misting.
I counter the privacy crap with a constant stream of podcasts when I drive…
2012 prius-c, physical air-conditioning temp knob, physical buttons for everything. Added CarPlay receiver, and it’s the perfect vehicle. No electronic “syncing” to be done. Just works.
My 2009 Outback Wagon died on me this past summer 😭😭😭
Yeah I’ve always believed in tactile feedback for driving safety. Which is why I love my Jeep Wrangler without the fancy features. Analog dash, keyed ignition, manual locks, windows, seats. Dials, knobs, handshift. I only have the backup camera since it became required lol
My 2004 was the newest car I’d had when I bought it in 2018. I don’t plan on ever buying anything newer.
I like the one that sells your data about your sexual orientation, lol. It’s just so beyond the pale these days.
That was Nissan. I don’t think that it was ever established that they were, just that their click-through privacy agreement had the consumer explicitly give them the right to do so.
kagis
They apparently say that they put it in there because the data that they did collect would permit inferring sexual orientation (like, I assume that if they’re harvesting location data and someone is parking outside gay bars, it’s probably possible to data-mine that).
https://nypost.com/2023/09/06/nissan-kia-collect-data-about-drivers-sexual-activity/
On Nissan’s official web page outlining its privacy policy, the Japan-based company said that it collects drivers’ “sensitive personal information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information.”
“Nissan does not knowingly collect or disclose consumer information on sexual activity or sexual orientation,” a company spokesperson told The Post.
“Some state laws require us to account for inadvertent data collection or information that could be inferred from other data, such as geolocation.”
Yep. I’m stuck driving cars from the mid-2000s at the latest because it’s a deal-breaker for me.
I’d love to have an electric car, but because they’re all newer than that (except for some really rare compliance/fleet-only cars from the '90s with NiMH batteries, like the Ford Ranger and first-gen RAV4), I’d have to convert an ICE car to electric myself.
Commercial vehicles are still fine if you can tolerate it. Might be the best option in 15 years if nothing else. I have a '19 transit van and it has no way of phoning home, the only infotainment is the one I installed. I haven’t researched too deeply but I assume the transit connect line is similar and if it is I’m considering making one my next personal vehicle.
Yep. I’m stuck driving cars from the mid-2000s at the latest because it’s a deal-breaker for me.
There are still a bunch, but ultimately, that supply is going to dwindle as wear and tear and such takes effect.
On some cars, you can disconnect the power to the cell radio module. I’ve read some posts about people doing that on newer Toyota Corollas.
kagis
Not the post I’m thinking of, but an example:
https://old.reddit.com/r/GRCorolla/comments/1f1vl94/for_those_of_you_looking_to_disable_the_dcm_and/
I remember they said that you used to be able to just pull out a single fuse in the fuse box to kill power to the telematics module, but with newer models there’s some second fuse-box that’s not very user-accessible in the guts of the car that controls it, and getting power away from the module on those is a more-elaborate task.
Also, I’ve read that on multiple Corollas – someone else in this thread mentions this also applying to Subarus – one of the speakers and the microphone is routed through that module to provide it access to the microphone and the sound system, so if you disconnect them without additional work, you’re going to lose one of your speakers and the car’s built-in microphone.
EDIT: I also have no idea how firmware updates get pushed to your car. It might be that updating firmware is part of the regular service, or it might be that they rely on over-the-air access to your car’s cell modem. But either way, I could imagine pulling the thing meaning that they can’t update your car’s firmware, which could be a cost.
On one hand, yeah, I know you can often disable the spying if you try hard enough (at least for now, until it’s integrated into the infotainment system so tightly that you can’t disable it without making half the car not work). However, as a matter of principle, I refuse to buy tyrant devices whose manufacturers think they’re somehow entitled to make me jump through hoops to control my own damn property in the first place.
deleted by creator
Someone is going to exploit this to make a great lesbian dating app
I think this is the first time I’ve noticed a lemmynsfw user on another instance! Hello there! 👋
This just makes me glad I removed the starlink box from my outback the first month I got the car.
If anyone wants to do the same in my 2018 (most gen 5s should be the same) you remove the radio and the starlink box is inside it. Removing the box breaks your front speakers and microphone. A simple passive pigtail will fix the speakers, but the microphone needs power. I found a guy online who made the active adapter so it was purely plug and play.
To anyone who didn’t read the article and was confused like me, apparently starlink is Subaru’s remote car security feature.
Apparently they capitalize it, so the article author kinda screwed it up:
https://en.wikipedia.org/wiki/Starlink_(disambiguation)
STARLINK, a brand of automotive connectivity systems by Subaru
That wouldn’t help me tbh
It might not tell you that it’s Subaru’s connectivity system (absent context), but I bet that if they’d written it that way, it’d at least let you know that it’s probably not SpaceX’s satellite Internet service program.
Good point. I always forget about Teslas starlink when talking about Subarus
We should all start asking around our local auto shops that handle software and ask if they disable gps or internet services.
It’s not illegal to modify your own vehicle (yet) so jailbreaking these shitty cars would be an awesome service.
I doubt there would be any auto shops that can reliably deal with software side elements that aren’t the dealership, and the dealership would refuse.
I assume that it isn’t much technical knowhow to take a pair of wire snips and snip the power or antenna to the OnStar services. Least I assume that is what would be done
Car manufacturers are required by law to offer the same tools that dealers use for independent repair shops to repair their vehicles.
Some cars are more programmable than others. BMWs for example you can change pretty much anything about the car. But most cars aren’t as modifiable as them.
True, much easier to remove the antennas and SIM cards.
Until you find out the cars won’t start without them :(
We’re in a scary new world… I’m glad I’m old with no kids and not in great health.
Yeah, Subaru can have the Starlink disabled pretty easily by removing, essentially, a module behind the head unit. The only problem is that module also sends power to the front speakers. There’s been workarounds created, but it’s just asshole design at its finest.
If it’s like “OnStar” where you could call for help, or they’d call you in an accident. I suspect that’s why it was done :(
Yeah, good point, perhaps there is some engineering rationale for having them powered the same, so that the speakers are guaranteed to work as long as the Starlink does.
You mean stuff like chiptuning? People do that all the time?
Its not illegal, but if someone starts selling these (car modification) services, and your car crashes, the authorities might hold them liable (even if its totally unrelated to the crash).
Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found that Curry’s mother’s Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees’ passwords simply by guessing their email address, which gave them the ability to take over any employee’s account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user’s browser, not on Subaru’s server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.
Yeah, this kinda bothers me with computer security in general. So, the above is really poor design, right? But that emerges from the following:
-
Writing secure code is hard. Writing bug-free code in general is hard, haven’t even solved that one yet, but specifically for security bugs you have someone down the line potentially actively trying to exploit the code.
-
It’s often not very immediately visible to anyone how actually secure code code is. Not to customers, not to people at the company using the code, and sometimes not even to the code’s author. It’s not even very easy to quantify security – I mean, there are attempts to do things like security certification of products, but…they’re all kind of limited.
-
Cost – and thus limitations on time expended and the knowledge base of whoever you have working on the thing – is always going to be present. That’s very much going to be visible to the company. Insecure code is cheaper to write than secure code.
In general, if you can’t evaluate something, it’s probably not going to be very good, because it won’t be taken into account in purchasing decisions. If a consumer buys a car, they can realistically evaluate its 0-60 time or the trunk space it has. But they cannot realistically evaluate how secure the protection of their data is. And it’s kinda hard to evaluate how secure code is. Even if you look at a history of exploits (software package X has had more reported security issues than software package Y), different code gets different levels of scrutiny.
You can disincentivize it via market regulation with fines. But that’s got its own set of issues, like encouraging companies not to report actual problems, where they can get away with it. And it’s not totally clear to me that companies are really able to effectively evaluate the security of the code they have.
And I’ve not been getting more comfortable with this over time, as compromises have gotten worse and worse.
thinks
Maybe do something like we have with whistleblower rewards.
https://www.whistleblowers.org/whistleblower-protections-and-rewards/
- The False Claims Act, which requires payment to whistleblowers of between 15 and 30 percent of the government’s monetary sanctions collected if they assist with prosecution of fraud in connection with government contracting and other government programs;
- The Dodd-Frank Act, which requires payment to whistleblowers of between 10 percent and 30 percent of monetary sanctions collected if they assist with prosecution of securities and commodities fraud; and
- The IRS whistleblower law, which requires payment to whistleblowers of 15 to 30 percent of monetary sanctions collected if they assist with prosecution of tax fraud.
So, okay. Say we set something up where fines for having security flaws exposing certain data or providing access to certain controls exist, and white hat hackers get a mandatory N percent of that fine if they report it to the appropriate government agency. That creates an incentive to have an unaffiliated third party looking for problems. That’s a more-antagonistic relationship with the target than normally currently exists – today, we just expect white hats to report bugs for reputation or maybe, for companies that have it, for a reporting reward. This shifts things so that you have a bunch of people effectively working for the government. But it’s also a market-based approach – the government’s just setting incentives.
Because otherwise, you have the incentives set for the company involved not to care all that much, and the hackers out there to go do black hat stuff, things like ransomware and espionage.
I’d imagine that it’d also be possible for an insurance market for covering fines of this sort to show up and for them to develop and mandate their own best practices for customers.
The status quo for computer security is just horrendous, and as more data is logged and computers become increasingly present everywhere, the issue is only going to get worse. If not this, then something else really does need to change.
The thing will bullet point 1 is that finding exploits is becoming MUCH easier with LLMs. That said, it’s now arms race. Can you deploy AI to pressure test your systems and find the gaps before the bad actors do the same?
The same happens in science. Verifying or reproducing something needs to be incentivised.
-
