
What does your car know about you? We hacked a Chevy to find out - bookofjoe
https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/
======
coreyp_1
Related story:

When I bought my GM truck last year, it came with OnStar. The saleswoman came
to the part of the sale where she had to set up my OnStar account. I told the
saleswoman that I would not consent to the OnStar trial service. When she
tried to cancel it for me through their online portal, she asked for my email
address, which was required to cancel the service. I refused to give it to
her. She didn't know what to do because that portal was the only tool that she
had to work with, and it required the information (she was professional the
entire time, btw, as was I), so I told her that I would take care of it.

I walked out to my new truck (still in the sales lot), pressed the OnStar
button, and the operator came on, asking me to set up my service. I told them
that I wanted to cancel the service completely. What did they do? They asked
for my personal information.

I had a back-and-forth with them for 10 minutes or so, with the operator
telling me that they could not turn off OnStar unless I gave them my
personally identifying information, and I kept telling them that they did not
need that information at all and that I would not give it to them (they
already knew my vehicle's ID... it's automatically included with the OnStar
call).

When asked why I would cancel a "free" service period, I told them in no
uncertain terms that I disliked the OnStar company, that I did not consent to
sharing any private information with them, and I wanted the "demo" service
(that was active when purchasing a new vehicle) disabled completely because I
had purchased the vehicle. They kept telling me that they could not cancel the
service unless I provided my personally identifying information.

I offered them an alternative. I told them that I could hang up, and the
OnStar would stay in the unlimited "demo" mode where I would continue to get
the service for free.

They put me on hold, and when they came back, I was told that their supervisor
OK'd the cancellation without me giving them any personal information.

I should have just removed the antenna!

~~~
driverdan
> I should have just removed the antenna!

You should absolutely find the SIM card and remove it. Just because you
"disabled" the service doesn't mean they aren't still sending data back.

~~~
neuralRiot
There’s no SIM card, the OnStar module is a closed box, easiest way is to just
unplug the antenna, no permanent damage an easily reversible if you need your
car serviced at the dealer.

------
Shivetya
I haven't seen it mentioned, but as a Tesla owner one concern I had was that
if I sold my car Tesla might not get around to wiping the information it had
on me. Worse there were stories of people selling cars where the new owner was
given CC numbers and more of the old owner.

Nice coincidence with the article is I had a 2017 Volt. Great car, hated
OnStar. First just trying to make them go away is nearly impossible and GM was
doing their best to link even remote start on the app to having an account; it
may actually be so but I sold it before the grace period expired.

OnStar is an example of how car makers are expecting to profit off cars once
they leave the lot. Go look at the rates OnStar wants and for what. We had
more than one update go around where features were going to be stripped from
the app without subscription to basic information promised originally was to
be moved to a premium category. I can honestly say OnStar was in my top three
for reasons for leaving my Volt.

Yes, they can send you driving habit data if you opt in. I have a similar
feature with a small blue tooth device for State Farm in my Tesla; connects to
my phone and such and scores driving. Going to see what it does over six
months. Currently my impression of it is that it thinks I take ever turn too
fast; always one star out of five unless I come to full stop. It also will
deduct points for going eight miles over speed limits. It rates acceleration,
deceleration, turning, speeding, and phone use. On phone use it logs it but
does not score for it as it could be a passenger.

~~~
systemtest
A sale would be an event where you can wipe data or at least have control over
the situation. Worst case is a car accident that sends the driver to the
hospital where the insurance company claims the car. Now they have a car with
your daily routine, your favourite songs, GPS destinations, sensor logfiles,
Sentry dashcam footage, crash data, calendar entries, phonebook entries.
Probably not something you want your insurance company to have insight in.

------
icefog
Removing OnStar antenna and power was one of the first things I did on my new
GM truck. It doesn't require any special tools or knowledge and only takes
several minutes. The fact I had to do any of this at all instead of being
asked to opt-in to data collection is depressing, but not unexpected in
today's data-hungry market.

~~~
georgeplusplus
I’m shocked they didn’t rig it so doing what you did turns the check engine
light on or something ridiculous.

~~~
latentpot
Don't give them ideas, please.

------
JohnFen
This is the primary reason why I sold my car and went carless the instant that
was a feasible thing to do. If I should need to own a car in the future, it
will be an older, pre-spying, one.

~~~
bagacrap
You're the first person I've met to claim that their aversion to motorized
transportation had a basis in privacy.

~~~
tempguy9999
I'm a londoner and we have here a system of public transport which is
controlled by cards ('oyster' cards, RFID credit card sized things -
[https://en.wikipedia.org/wiki/Oyster_card](https://en.wikipedia.org/wiki/Oyster_card)).

Not exactly to address your point but they're a good way of tracking
individuals so I always try to pay anonymously (cash) and never register it. I
should probably buy a new one every few months but usually forget.

FYI anyway. Privacy aside it's a pretty decent system.

~~~
CoolGuySteve
They can recognize your face as you tap at the turnstile. Maybe they don’t do
it now, but if they currently don’t they will in the name of anti-terrorism.

~~~
brokenmachine
Remember, pedophiles get the train too.

 _Won 't you think of the children?_

------
Cougher
My car knows that I'm going to ride it like it like a horse and never put it
out to pasture. My old grey mare, she ain't what she used to be, but she don't
ever spy on me.

------
jb775
> Doug also (twice) sent GM a formal request under a 2003 California data law
> to ask who the company shared his information with. He got no reply.

I wonder if they are planning to follow up on this? If there's a law in place,
GM shouldn't be able to get away with simply ignoring requests.

~~~
hnarn
Luckily for us consumers, at least in the EU we now have GDPR, which you
definitely can not ignore.

~~~
bliblah
I wonder if he could just ship an american car with onstar to the EU and start
requesting the information using GDPR.

------
ScottBurson
My 1993 Toyota is looking better by the day :-)

~~~
astura
Unless you get into a crash that is.... [https://youtu.be/xidhx_f-
ouU](https://youtu.be/xidhx_f-ouU)

~~~
thrav
Tank of a Land Cruiser should do a bit better

~~~
Wohlf
Heavier vehicles make collisions more dangerous for everyone.

------
throwGuardian
The more important thing is what we consent to, during regular maintenance.
Can they just suck up all the data and sell it to the highest bidder, or to
law enforcement? I sign a multi page agreement every visit, and have never
read it's fine print

~~~
abawany
It is important to read even though they harry you to sign: I caught my dealer
sneaking in a clause on the checkout papers that one had to initial to deny
during a maintenance trip - it gave them rights to contact me for sales calls;
I had been wondering why they had been bugging me on the phone so much
recently and realized it was because I had not caught on to this clause in
previous trips. The service advisor had bounced over it when trying to get me
to sign the checkout papers but nodded glumly when he saw I had initialed it.
I used to think the "stealership" label was harsh for dealerships but I can
see why it is tempting to apply it.

------
steve_gh
Most car makers are global - and sell heavily in European markets, which are
covered by the GDPR. So I suspect that for these manufacturers, many brands
will be GDPR compliant by default. That said: \- Under what principle is data
collected (Article 6) \- What measures have they put in place to enable access
to PI (Article 15) \- How consent may be withdrawn (Article 7) \- How consent
may be obtained when a vehicle is sold (Article 7) \- How do they ensure data
is protected (Article 25) so that PI access by the subject (under Article 15)
is matched to ownership (or registered keeper as the vehicle may be owned by a
finance company) of the vehicle

Answers on a postcard please :-)

~~~
maxerickson
They have enough volume that there doesn't have to be much money involved per
vehicle to make US specific versions.

~~~
mhandley
Of course if a US-spec vehicle is exported to the EU, GDPR then applies to any
data collected by that manufacturer from that vehicle.

~~~
tomatotomato37
That liability will be on the importer though, in the same way that making the
indicators and emissions systems compliant to EU standards would be

~~~
hvidgaard
If it sends the data to the manufacturer, they're liable. If they importer
are, and the manufacturer doesn't care, they not going to sell any cars.

------
Animats
Is this info being collected for police cars? That could be useful in
litigation.

~~~
kevas
Could you go in a bit more detail on your thoughts about this—would love more
insight

~~~
afthonos
Not OP, and not sure what they had in mind, but police departments “lose” data
directly in proportion to how damaging it is to them. It would not be very
useful in litigation.

~~~
ryanmercer
How would car data make any difference

Criminal's lawyer: "Your honor, clearly my client was being chased viciously
by that officer, here's the car data saying it was going 65mph"

Judge: "Yes, and as we just saw in the video footage from three news
helicopters, your client was travelling even faster than the police chasing
him, weaving in and out of traffic, before losing control when his tire blew".

Engine run time, speed, location, engine temps, impact, hard breaking, hard
acceleration, this is the type of data that is being collected.

Also I would imagine fleet vehicles, like police cars and taxis, would not
include most of this as it increases the costs and complexity of repairs.
Fleet vehicles are generally designed to use the same major components as
multiple other vehicles/generations and be fairly no-frills features to be the
easiest to work on. Major police departments (large cities, state police)
generally have their own garages that do all of the work.

------
neonate
[http://archive.md/JOe8F](http://archive.md/JOe8F)

~~~
m463
That site collects detailed information about you via dns.

*.pixel.archive.md

~~~
jakeogh
Other than your ip, what else does the DNS request provide?

archive.* is an internet gem. It's def on the shortlist for the censors. I
suspect we will be hearing more about it soon. _ahum_ re Skippy's friends.

------
js2
My wife drives a 2017 Volt. I considered disconnecting the OnStar antenna, but
I like the monthly report that's emailed to me which provides oil life, energy
usage (electric vs gas miles), and tire pressure. I also like that I'll get an
email alert if tire pressure is low. There's also this:

[https://www.voltstats.net/](https://www.voltstats.net/)

[https://ibb.co/WHxpm5P](https://ibb.co/WHxpm5P)

> With paid OnStar service, I could, on demand, locate the car’s exact
> location.

I haven't paid for OnStar but I can use the "locate vehicle" feature. I
vaguely recall that "basic OnStar" is included for 5 years? The myChevrolet
app can also be used as a keyfob in a pinch.

We are not signed up for Smart Driver.

Privacy vs functionality is a trade-off. The bigger issue here is that you
can't download your data directly from the car, that OnStar is opt-out instead
of opt-in, and that you can't fully opt-out w/o physically disconnecting the
antenna.

------
nesky
The article states GM has 11M, 4G enabled vehicles, does this imply it's
actively tracking these vehicles? Doesn't this also imply you don't have to be
paying for any type of service/connectivity on your end and GM can be paying
for the connectivity on theirs and be extracting data unbeknownst to the
driver?

~~~
dwild
> Doesn't this also imply you don't have to be paying for any type of
> service/connectivity on your end and GM can be paying for the connectivity
> on theirs and be extracting data unbeknownst to the driver?

You can always press the OnStar bouton and it will works, whether you are
subscribed or not. That means that it's always connected. What data is does
send though, that's a big mystery for sure, but at the bare minimum they know
which 4G antenna you are connected to.

------
bookofjoe
Since everyone's phone is tracked 24/7/365, what does it matter if you're in a
car or not?

~~~
LinuxBender
My cell is not registered in my name and I can take the battery out. I often
do any time I am not on call.

~~~
hypnotode
Out of curiosity what model do you use? The last phone I had with the
capability to do so was an s4.

~~~
magduf
The ultra-high-end LG V10 and V20 phones have this too. However, the V30 and
V40 went to non-replaceable batteries. Also, the Galaxy S5 had it too, but the
S6 and latter did not.

------
616c
Is there similar research or concern about SiriusXM?

~~~
criddell
Isn't satellite radio a receive-only system?

~~~
myself248
The satellite radio you have now is a receive-only system, but SXM is heavily
investing in the telematics market as well. Soon it won't be.

------
foxyv
The more I hear about how computers are taking over the car market, the more I
appreciate my "App" free Honda Fit from 2013.

~~~
magduf
My 2015 Mazda 3 doesn't have any of this stuff either. It does have the
terrible XM radio, but that's optional and is receive-only.

------
Epopeehief54
There needs to be a way to counteract this.

~~~
winrid
You can disable OnStar. For the other stuff I'm not sure. Maybe a custom ECU
or infotainment flash. New startup? :)

------
onreact
Here's the story without a forced sign up/paywall:
[https://driving.ca/chevrolet/volt/auto-news/news/what-
does-y...](https://driving.ca/chevrolet/volt/auto-news/news/what-does-your-
car-know-about-you-we-hacked-a-chevy-to-find-out)

------
et2o
It doesn't strike me as ridiculous that a car's nav would keep track of where
you've been.

~~~
vb6sp6
It collects 25gb of information an hour and beams it back to the car marker.
So a bit more that just your location.

~~~
rootusrootus
If there were really 25GB of data going back to GM, I can't imagine what their
wireless contract costs are like.

~~~
vb6sp6
not all data needs to flow back and compression still exists

~~~
rootusrootus
Sure, but data that doesn't flow back isn't much use to anyone, nor much of a
danger to the consumer, and no amount of compression is going to make 25GB of
raw data per hour per car for 100M cars anything other than very, very
expensive. They probably send very little data.

