
When Your Used Car Is a Little Too ‘Mobile’ - LinuxBender
https://krebsonsecurity.com/2020/02/when-your-used-car-is-a-little-too-mobile/
======
vearwhershuh
The issue here isn't that this guy can see and control the the vehicle without
the next owner knowing. It's that the entire corporate world and government
can see and control the vehicle without the next owner knowing. This is
increasingly true across the board, regardless of trim level.

I was excited about Rivian as a family friendly electric vehicle. Then they
decided to add Alexa (due to an investment by Amazon) and reminded me why I
will likely die driving my 1980s SUV.

~~~
freepor
Certainly your 1980s SUV is certainly the thing most likely to be the location
of your death, unless you’re older than ~70.

~~~
vearwhershuh
Only if your 1980s SUV is capable of reaching speeds that might kill you.

I will simply be maimed horribly and die later in the hospital, screaming "AT
LEAST MY DEATH WASN'T TRACKED BY ALEXA".

I am, on balance, comfortable with this fate.

 _Alexa: His death was, in fact, tracked by Alexa_

~~~
nemosaltat
I’m hearing that last sentence in the voice of the narrator from arrested
development.

~~~
o_____________o
Ron Howard! Director of A Beautiful Mind, Apollo 13, Willow, etc., star of
Happy Days, father of Bryce Dallas Howard.

[https://www.youtube.com/watch?v=70nqLIj6l_M](https://www.youtube.com/watch?v=70nqLIj6l_M)

~~~
julianj
And not to forget Opie from the Andy Griffith show

------
nimbius
somewhat off-topic, but if you'd like a hardware hack to disable the perpetual
vehicle tracking in most modern cars, its actually a component of OnStar in GM
vehicles. BMW Assist and others are patterned off the same technology as it
all comes off the boat as a single embedded package from China. Its a cellular
modem with a header for your OBD and ECM and data line for your info-tainment.
its NOT built into the info-tainment.

on GM Vehicles You're looking for a metal box under the passenger side
footwell, about the size of a cable modem. newer models have it in the trunk
on the right or left side. You can remove the box, open it up, and inside will
be a riser card with 2 or 3 connectors for a cell antenna. theres no SIM card.

Pull the riser and you wont get any error codes. Confirm the hack by pressing
the OnStar button (or whatever your car calls it.) it will ring, but no one
will pick up.

this will NOT affect your bluetooth ability OR your backup camera. thats
actually part of the infotainment.

this WILL however disable the SOS button and the automated SOS on airbag
deployment signal as the riser doesnt exist to make the call.

~~~
gbrown
In your opinion, is this worth doing even if you never signed up, activated,
or signed any agreements with respect to on-star?

~~~
justAnotherNET
Not OP, but yes

------
tyho
BMW is also massively insecure. My "secret token" I had to enter on my phone
to link it with the car was the VIN number. That number is physically stamped
into the engine block and chassis so obviously cannot be changed, even after I
sell the car. I also suspect these numbers are sequential. Till this car is
scrapped I will be able to locate it, turn on the AC, unlock the doors etc.

~~~
RandomBacon
I'm curious, would it be possible for a malicious person to create a bunch of
VMs running the app and brute force VINs to get access to thousands of
vehicles and do things all at the same time?

As it is, it already sounds like a theif's dream: no special, suspicious tools
required: just a burner phone with an app, walk up to a car, enter the VIN,
unlock doors, steal stuff.

~~~
fortytw2
VINs roughly follow patterns, so if you know one, you can figure out many
other cars with very little brute force effort.

vinwiki probably has a guide explaining them somewhere if you search

------
h2odragon
I'm thankful our 2004 & 2002 cars are as free of "smart" as they are. They're
aging out on us and we've been looking at replacements; the used market is
contaminated with screens and systems that we DO NOT WANT.

I wonder how difficult it will be to strip all that shit out when the time
comes. What's going to have to be stubbed out or emulated to make the car run
and how difficult will that be? Are we looking at things like people rolling
their own EverQuest shards yet?

~~~
judge2020
Cars manufactured starting May 2018 must have backup cameras, so chances are
whatever car you get will also have infotainment and other features. Maybe
there are a few cars that have a pop-up screen or something similar that is
only used for backup.

[https://en.wikipedia.org/wiki/Backup_camera#Mandates](https://en.wikipedia.org/wiki/Backup_camera#Mandates)

------
tantalor
The master reset and much, much more is actually detailed in their privacy
policy:

[https://www.ford.com/help/privacy/](https://www.ford.com/help/privacy/)

"Performing a Master Reset returns the vehicle’s modem to the factory settings
and removes any imported personal data like cellular phone contact lists,
names of paired devices and/or connected networks. Master Reset also
disconnects modem-equipped vehicles from any FordPass / Lincoln Way accounts.
See 4 above. Deleting the FordPass/Lincoln Way app from your device will not
disable data sharing.

PEFORM A MASTER RESET:

BEFORE SELLING OR TRANSFERRING OWNERSHIP

AFTER PURCHASING OR LEASING A PRE-OWNED VEHICLE

BEFORE AND AFTER RENTING A VEHICLE FROM A RENTAL COMPANY "

------
gambler
People are now beginning to realize that cellphones send out too much data.
Well, modern cars are far worse. Do you know that some of them have weight
sensors in seats? Do you know that they send this info out? On your phone, you
at least have some control. You have zero control over your car's cell
connection. I'm not even sure you can disable over-the-wire updates.

~~~
myself248
Pull the SIM card, or if it's an eUICC cut the trace. Yank the antenna wire,
cap it with a terminator. Cut the module off the bus if you feel like pulling
the fuse isn't enough.

~~~
OkGoDoIt
Would the car detect the tampering and refuse to operate? Seems like there is
a fair argument to be made for that by car manufacturers in the name of
safety.

~~~
somehnguy
While totally possible I've never heard of such a thing actually happening.
Tearing out the OnStar module on Chevrolets has been done by people with a
specific mindset for a long time. Whats kinda neat is that if it does still
work after tearing out the module it should continue to work forever because
you just ripped out the update mechanism. Assuming you don't go to the dealer
for service of course...but who does that?

------
josephwegner
Fun fact: Nissan Connect, which allows you to track, start, stop, lock,
unlock, trigger horn, and toggle headlights is also massively insecure. In
order to gain control of a Nissan Connect-enabled car, you need to know the
VIN of the car and the name of the person to whom it is registered.

Most of the time those details can be found on the internet, but if you're
reasonably motivated you can find the VIN visible on a car's dashboard and
probably find the owner's name in their mailbox.

If you own a Nissan, register your car in Connect, or someone else will!

~~~
julianj
Helpfully, my state will allow you to search tax records by VIN or name.

------
bcrosby95
I learned long ago never to trust dealerships to do what they say they will,
unless I see them do it.

When I traded in a car, among other things I signed was a release of liability
for the DMV. They claimed they would submit it.

They never did. 3 months later the DMV called asking about the lack of
insurance for the car. I told them what happened, and they said its common for
dealerships to never send in this paperwork. So, yeah, lesson learned. I can't
imagine what a pain in the ass this would have been if the car were involved
in an accident.

~~~
reaperducer
_I learned long ago never to trust dealerships_

I traded in a car in Houston and the employees of the dealership (an actual
big-name dealership, not some guy selling cars on his lawn) took it on
joyrides for a week blowing through tolls.

I found out when I got a letter in the mail from the Harris County Toll Road
Authority with a bill and photos of my old car zipping through the barriers.

I called HCTRA, and they were super nice about it, cancelled the fees, and
said it happens all the time.

------
slumdev
Ford (and other manufacturers) need to own the reset process. There's no way
you can rely on car dealerships to do this.

[https://www.fi-magazine.com/311144/but-the-dude-can-sell](https://www.fi-
magazine.com/311144/but-the-dude-can-sell)

~~~
ng7j5d9
How would manufacturers know when cars change hands?

Sure, in the example in the article, it was a lease that was turned in to a
Ford dealer. But I've sold cars by handing my keys and a title to an
individual who handed me money. The manufacturer of the car was not involved
in the transaction.

~~~
reaperducer
_How would manufacturers know when cars change hands?_

The same way that every single marketing company, bank, finance and insurance
company does. It's public information.

~~~
ng7j5d9
That might be a good 90% solution - car registrations are public records,
which tons of companies harvest, which is why you get those annoying extended
warranty junk mailers, etc.

Not all cars get registered though - some are chopped for parts (in which case
that infotainment system might live on in another car), some are shipped
internationally to be re-sold elsewhere, etc.

And there could be a lot of lag - some cars languish on dealer lots, get
auctioned, languish on another lot, get auctioned again, etc. Or a dealer
might like your car and slap dealer tags on it and keep it essentially as his
personal vehicle for a while without registering it.

Lots of little opportunities for data to leak or remote functionality to be
abused. There ought to be a complete, no-joke, absolutely reset everything in
the car (and expire any remote access tokens) option in the car itself, that
either a buyer or seller can easily invoke.

------
kube-system
Yikes. This is a serious safety issue. Imagine if this wasn’t an EV, and
someone started a car while in the new owner’s garage.

~~~
speedgoose
Can you start a ICE vehicle remotely? I thought it was mostly a EV thing, some
people have aftermarket kits.

~~~
grecy
A huge percentage of people that live in the cold parts of Canada have "remote
start" on their key fob. Press a button and that ICE fires right up to warm up
your cabin, defrost the windows and get the engine warm enough.

They usually have some kind of hardware interlock to make sure the
transmission is in park and the hand brake is on.

~~~
semi-extrinsic
FWIW remote start is not allowed in Europe, so in the northern areas cars come
with separate units that generate hot air from a heat exchanger connected to a
small chamber with a flame burning the fuel.

------
Johnny555
I always do an infotainment system reset when I rent a car -- both when I
start using the car, and just before I return it. I don't know what apps or
other data other people synced, and I don't want anything I synced to be
available to the next person.

I'd be doubly sure to reset the car at the end of a lease.

~~~
alasdair_
I find it more amusing to enter in the address of a local liquor store, then a
bar, then a weed shop, a casino, a strip club, a bail bondsman, the local
municipal courthouse and finally a divorce lawyer’s offices.

------
river99
First thing I do in any rental car is turn off any remote tracking, mobile
apps, clear out bluetooth and turn off wifi if equipped.

~~~
_sbrk
While always good to turn non-essential features off, this doesn't mean that
you can't be tracked. Many vehicles, even if non-rental, now come standard
with cellular voice/data connections. GM pioneered this with OnStar in the
mid-90s[1], and other manufacturers soon followed. Combined with the "black
box" recording of _every_ sensor in your car, there can be some pretty damning
evidence against the driver in the event of a wreck, etc.

There are no switches for the driver to disable regarding the data inside your
ECU[2], or Event Data Recorder[3].

It's not that you can't get away with anything anymore, it comes down to minor
infractions are now enforceable (with the lucrative fines that follow) and
that your car can present evidence against you.

[1] [https://smart.gi-de.com/automotive/a-brief-history-of-car-
co...](https://smart.gi-de.com/automotive/a-brief-history-of-car-connections/)

[2] [https://www.plaintiffmagazine.com/recent-
issues/item/beware-...](https://www.plaintiffmagazine.com/recent-
issues/item/beware-the-black-box)

[3]
[https://www.jstor.org/stable/26167752?seq=1](https://www.jstor.org/stable/26167752?seq=1)

~~~
ReptileMan
Can't you just cut the antenna? Or just improvise a Faraday cage around it.

~~~
reaperducer
Good luck finding it. And then, good luck getting to it.

~~~
kop316
While a pain, it isn't impossible. There will be an FCC ID that it has (due to
transmitting receiving). Based on that device, you at least know what to look
for (a PCI card? An entire board? an Antenna?).

Since FCC testing is expensive, I would not doubt that many manufacturers just
make one card to install into multiple cars (to lower the FCC testing cost).
That would be the best case, as all you need to do is find and remove that
card.

~~~
_sbrk
Instead of doing that, I'd simulate "network loss" by substituting a 50 ohm
dummy load for the output antenna. This assumes that it is a connector, not
soldered right to the board.

This way, there is no "fault" other than not being in a cellular-coverage
area.

~~~
kop316
That's a good way too. Didn't think of that.

------
tzs
There are enough street labels visible on the map of the car location in the
screenshot from the myford site to figure out where that is.

I was kind of surprised the article did not obfuscate that.

It looks like it is at one of these businesses in Milford, CT: Stevens Ford
Lincoln, Stevens Ford of Milford, Steven's Collision Center, or Colony Ford.

I wonder if one of those Ford dealers is the dealer that failed to do the
reset when processing the lease return?

~~~
Johnny555
If it's at a car dealer, I'm not sure there's any need to obfuscate it --
revealing that an off-lease car is on a car dealer's lot is not much of a
breach.

If it was in a residential neighborhood it'd be a different story.

------
josefresco
A low tech example, but I bought a used car a couple years ago with navigation
and still saved in the system were addresses the previous owner had entered.
From this simple list, I was able to determine where they lived, and if was
curious enough the businesses and homes they visited, or at least used
navigation to find.

