{"id":26674,"date":"2023-10-18T14:04:58","date_gmt":"2023-10-18T13:04:58","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/26674\/"},"modified":"2023-10-18T14:04:58","modified_gmt":"2023-10-18T13:04:58","slug":"spies-on-wheels-how-carmakers-sell-your-intimate-data","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/26674\/","title":{"rendered":"Spies on wheels: how carmakers collect and then resell information"},"content":{"rendered":"

Guess which of your possessions is the most active at collecting your personal information for analysis and resale?<\/p>\n

Your car. According to experts at the Mozilla Foundation<\/a>, neither smart watches, smart speakers, surveillance cameras, nor any other gadgets analyzed by the Privacy Not Included<\/a> project come close to the data collection volumes of modern automobiles. This project involves experts examining user agreements and privacy policies to understand how devices use owners\u2019 personal data.<\/p>\n

For the first time in the project\u2019s history, absolutely all (25 out of 25) reviewed car brands received a \u201cred card\u201d for unacceptably extensive collection of personal information, lack of transparency in its use, poorly documented data transmission and storage practices (for example, it\u2019s not known whether encryption is used). Even worse, 19 out of 25 brands officially state that they can resell the information they collect. The icing on the cake of such privacy violations is that car owners have almost no ability to opt out of data collection and transmission: only two brands, Renault and Dacia, offer owners the right<\/em> to delete collected personal data; however, it\u2019s not so easy to even figure out if you should exercise this right.<\/p>\n

Buried deep within the license agreements that car buyers usually accept without even reading, there are utterly outrageous violations of privacy rights. For example, the owner\u2019s consent to share their sexual preferences<\/strong> and genetic information<\/strong><\/a> (Nissan<\/a>), disclosure of information upon informal requests from law enforcement agencies (Hyundai<\/a>), and collection of data on stress levels<\/strong><\/a> \u2014 all in addition to 160 other data categories<\/a> with deliberately vague names such as \u201cdemographic information\u201d, \u201cimages\u201d, \u201cpayment information\u201d, \u201cgeolocation\u201d, and so on.<\/p>\n

The worst brand of all in the ratings was Tesla, which earned, in addition to all the other possible penalty points, a special label: \u201cUntrustworthy AI\u201d.<\/p>\n

How cars collect information<\/h2>\n

Modern cars are literally crammed with sensors \u2014 ranging from engine and chassis sensors that measure things like engine temperature, steering wheel angle, or tire pressure, to more interesting ones such as perimeter and interior cameras, microphones, and hand presence sensors on the steering wheel.<\/p>\n

All of them are connected on a single bus<\/a>, so the car\u2019s main computer centrally receives all this information. In addition, all modern cars are equipped with GPS and cellular communication, Bluetooth, and Wi-Fi modules. The presence of cellular communications and GPS in many countries is dictated by the law (to automatically call for help in an accident), but manufacturers happily use this function for the convenience of both the driver \u2013 and themselves. You can plan routes on the car\u2019s screen, remotely diagnose malfunctions, start the car in advance\u2026 And of course, the \u201csensors and cameras \u2192 car computer \u2192 cellular network\u201d bridge creates a constant channel for information collection: where you\u2019re going, where and for how long you park, how sharply you turn the steering wheel and accelerate, whether you use seat belts, and so on.<\/p>\n

More information is collected from the driver\u2019s smartphone when it\u2019s connected to the car\u2019s onboard system to make calls, listen to music, navigate, and so on. And if the smartphone is equipped with a mobile app from the car manufacturer for controlling car functions, data can be collected even when the driver is not in the car.<\/p>\n

In turn, information about passengers can be collected through cameras, microphones, Wi-Fi hotspots, and Bluetooth functions. With these, it\u2019s easy to find out who regularly travels in the car with the driver, when and where they get in and out, what smartphone they use, and so on.<\/p>\n

Why do car manufacturers need this information?<\/h2>\n

To earn more money. Apart from analysis for \u201cimproving the quality of products and services\u201d, the data can be resold, and car features can be adapted for greater profit for the manufacturer.<\/p>\n

For example, insurance companies buy information about a particular driver\u2019s driving style to more accurately predict the likelihood of accidents and adjust insurance costs. As early as 2020, 62% of cars were equipped with this controversial function right at the factory<\/a>, and this figure is expected to rise to 91% by 2025.<\/p>\n

Marketing companies are also eager to use such data to target advertising based on the owner\u2019s income, marital status, and social status.<\/p>\n

But even without reselling personal data, there are many other unpleasant monetization scenarios, such as enabling or disabling additional car functions through subscriptions, as BMW tried unsuccessfully to do with heated seats<\/a>, or selling expensive cars on credit with forced vehicle lockdown in case of payment default<\/a>.<\/p>\n

What else is wrong with data collection and telematics?<\/h2>\n

Even if you think \u201cthere\u2019s nothing wrong with ads\u201d and \u201cthere\u2019s nothing interesting they could learn about me\u201d, consider the additional risks you and your car are exposed to due to the technologies described above.<\/p>\n

Data leaks.<\/strong> Manufacturers actively collect your information and store it permanently \u2014 without sufficient protection. Just recently, Toyota admitted to leaking 10 years of data<\/a> \u2014 all collected from millions of cloud-enabled vehicles. Audi had information on 3.3 million customers<\/a> leaked. Other car manufacturers have also been victims of data breaches and cyberattacks. If this much personal data falls into the hands of real criminals and fraudsters, not just marketers, it could spell disaster.<\/p>\n

Theft.<\/strong> Back in 2014, we explored the possibility of stealing a vehicle via cloud functions<\/a>. Since 2015, it has become clear that criminals remotely taking over a car is not some futuristic fantasy, but a harsh reality<\/a>. Car thefts in recent years often exploit the remote relaying of signals from a legitimate key fob, but last year\u2019s epidemic of KIA and Hyundai \u201cTikTok hijackings\u201d<\/a> was based on the car\u2019s smart functions and only required the thief to insert a USB drive.<\/p>\n

Surveillance of relatives.<\/strong> When the car does not belong to you, but to a relative or employer, the owner can track the car\u2019s location, set geographical limits for its use, set speed limits and permitted driving times, and even control the volume of the audio system! Many car brands, such as Volkswagen<\/a> and BMW<\/a>, offer such features. As we know from our stalkerware research<\/a> and the recent AirTag tracking<\/a> scandals, such capabilities are simply crying out to be abused.<\/p>\n

How to reduce risks?<\/h2>\n

Due to the scale of the problem, there are no simple solutions. Therefore, here are some mitigation options in descending order of radicality:<\/p>\n

    \n
  1. Walk or ride a bicycle.<\/li>\n
  2. Buy an old car model. Almost all cars manufactured before 2012 have very limited data collection and transmission capabilities.<\/li>\n
  3. Buy a car with a minimal set of \u201csmart\u201d sensors and\/or no communication module. Some manufacturers offer basic configurations with limited capabilities, but this requires carefully reading the user manual. The absence of a dedicated communication module (GSM\/3G\/4G) in the car is a reliable sign of its limited capabilities. Note that more and more cars come with smart features even in basic configurations<\/a>\u00a0(this path has already been paved by Smart TVs \u2014 they make money by collecting and selling data).<\/li>\n
  4. Don\u2019t install the car\u2019s mobile app on your phone. Of course, starting the car from your smartphone or warming it up before you get in is often convenient, but is it necessary to pay for these features with deeply personal information \u2014 in addition to the money you spend? Very debatable.<\/li>\n
  5. Don\u2019t activate Apple\u2019s CarPlay or Android Auto pairing functions. When these functions are activated, the smartphone OS manufacturer gets all kinds of information from the car, and the car, in turn, retrieves information from the phone.<\/li>\n
  6. Don\u2019t connect the car to your phone over Bluetooth or Wi-Fi. This way, again, you lose some functionality, but at least the car won\u2019t send information to the manufacturer through the phone, and nor will it download the phone\u2019s address book and other personal data. You can compromise by establishing a Bluetooth connection only for \u201cheadset\u201d and \u201cheadphones\u201d protocols: you\u2019ll be able to play music from your phone through the car speakers, but the transmission of other data types (such as the address book) won\u2019t be available.<\/li>\n
  7. A bonus tip, which doesn\u2019t exclude the previous ones: Mozilla suggests signing a collective petition to car manufacturers<\/a>, urging them to change their business model and stop making money by spying on customers. Power to the petitioning people!<\/li>\n<\/ol>\n\n","protected":false},"excerpt":{"rendered":"

    What personal information do modern cars collect about you, and how can you avoid surveillance or hacking of your vehicle?<\/p>\n","protected":false},"author":2722,"featured_media":26675,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2026],"tags":[629,3739,707,971,82,561,43,268],"class_list":{"0":"post-26674","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-cars","9":"tag-cars-car-hacking","10":"tag-connected-cars","11":"tag-connected-devices","12":"tag-hacking","13":"tag-hacking-cars","14":"tag-privacy","15":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/26674\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/26393\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/21913\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/29089\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/26783\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/29270\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/28114\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/36413\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/49341\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/21117\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/21903\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/30619\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/34999\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/27074\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/32676\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/32418\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/cars\/","name":"Cars"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=26674"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26674\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/26675"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=26674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=26674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=26674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}