VW breach exposes location of 800k electric vehicles (opens in new tab)

In Spain they soon will require V16 [0] too. Originally it was just a flashing light but then it was improved to use mobile networks to send an emergency call to authorities. And proving, that technically, it is possible to have something like ECall without deep integration into the car.

No need of having always on connection to the network, enable on emergencies only. Thus no remote hacking of SIM/base band possible at random times, or broadcasting presence until used. Mechanic or user can check battery periodically, replace if low, just like refilling wiper fluid. Car could even cut all other electric systems after deploying the integrated autonomous V16-like system.

Car manufacturers deciding to make their ECall implementations complex and privacy invading was their choice.

[0] https://en.wikipedia.org/wiki/V16_warning_beacon_lights

Yes and no. Ecall is but telemetry is not. And ecall only makes a call in case of a crash.

Just enable it by default and put a warning in big red letters that disabling the cellular modem will also disable the ECall system, which may mean you might not get the emergency assistance you need and therefore die.

AFAIK ECall uses a voice call with data encoded on the audio channel. This is not what telemetry does, it should be doable to leave the voice channel and disable any data connections. (But it's probably very hard to check for someone who has no background in emebedded systems). Plus, in theory an emergency call can be done without even using a SIM card, right (if network allows)?

What do Chinese vehicles have to do with this, or the ability of US Senators to "provide" alternatives? Sorry wasn't aware that the Ford family has someone in the US Senate.

Expand this to any product. I should be able to use ANY product fully, without maintaining some kind of communication channel to and/or from the product's manufacturer. When I buy a hammer from Home Depot, I take it home and hammer with it. The manufacturer doesn't know I have it, doesn't know how many nails per month I hammer with it, how many swings it takes on average for me to drive in a nail, how often I use the claw side. They don't know if I use it for other purposes besides hammering nails. They don't know if I lend it to my neighbor. I can sell it to someone else without the manufacturer's permission.

Somehow hammer manufacturers can live with this. Why can't automakers, tech device manufacturers, and software developers live with this?

Default Opted Out

Opt In should NOT be required to enable features.

Features should not be rented, and should be delivered as purchased with the car. Shipped but disabled features that take up additional vehicle weight (relative to lacking the feature) should not be allowed. (This phrasing is precise, to allow for silicon and software enhancements which are not a material change to vehicle manufacturing / design.)

Setup processes should always empower the user. If there are multiple choices or paths a default may be indicated, but alternatives MUST NOT be in other locations, and MUST be displayed with equal prominence in a logically adjacent section of the dialog.

Example from a website: 'Paperless' should not be force enabled by default; the ability to have paper or paperless billing should be radio boxes next to each other. Additional benefits (E.G. higher account interest rates) should not be tied to either selection.

I do this all the time. Don't even have a fob to begin with but it's very convenient when you're in a shopping mall and are going to make your way back to the car, for example.

Also handy to find your car if you manage forget where you parked for some reason. Or to set a destination for GPS navigation.

Schedule heating etc through their app

I like the 'call emergency services on airbag deployment' too, on the fence about removing it, I guess if I had an apple watch that could do the same thing but then I'm just moving the surveillance from one ecosystem to another

>If you’re out of key fob range do you really need to pre-heat the car?

Yeah, that can save 15 minutes of scraping the windows for snow and ice in the morning and afternoon.

I've read disabled cellular modem on toyota prius also disables the microphone for bluetooth phone calls / handsfree commands. funny that.

Both of those features were available on cars before cellular connectivity.

You can't see the tire pressure on the dash?

> I'd rather focus on standardizing a transparent and privacy safe way to gather these metrics. Consumers would know what metrics are collected and there would be guarantees that privacy is kept.

I'd rather see laws to have it disabled by default. People who don't mind can then opt-in again.

Defending this because "it's industry standard" is no better than justifying any wrong practice because "it's always been done this way".

> Honestly there are many good reasons to do so and it does result in finding real problems and solving them.

Honest question, what is a good reason to do this?

My Logitech software sends telemetry to Logitech.

My VW apparantly sends my GPS coordinates.

How is this useful for improving their hardware?

> Honestly there are many good reasons to do so and it does result in finding real problems and solving them.

Tell that to Microsoft. Although their products have telemetry, they become shittier every day.

I would love a wiki of vehicles for simply 'how to rip out the SIM card'

I thought I saw instructions somewhere for my 2020 prius but can't find it now. a few reddit threads asking about it, I like the suggestion that even if its eSim or somehow embedded in the cellular modem, "Disconnect the antenna! / shunt the telecommunication modems antenna with a resistor shunt. It will trick the radio into thinking the antennas still connected but won't allow any data to be going out they just won't get signal"

https://www.reddit.com/r/Toyota/comments/1be9zuc/wheres_the_...

And in 10 years time what’s your solution?

modern cars are unfortunately much safer

I bought a used '14 Leaf in '16. It has been a great car with very little battery degradation. Sure, I'm not going to be taking it on any long trips, but for 90% of my driving it is great. I paid $11k for it. Best car purchase I've made in 30+ years of car ownership.

That's amazing considering 2023 was only last year.

I've owned two LEAFs. Fantastic vehicle. I only got rid of it when I realized all the cars around me were only getting bigger and heavier, and I felt I needed to get an SUV to defend myself against that.

you're taking to a bunch of old men shouting (literally) at clouds

The Polestar 2 is pretty good in this regard. All the most important things are on the steering wheel stalks, steering wheel buttons, and a few buttons for things like demist, play/pause and volume control on the centre console. There's still a lot on the touchscreen, including climate control, but it seems to hit a pretty good balance for me (and I'm not a fan on car touchscreens).

Safety agencies in Europe are already pushing to bring these back: https://arstechnica.com/cars/2024/03/carmakers-must-bring-ba...

Many EVs have a sensible amount of buttons, and you generally don’t need the touchscreen for driving or much else for that matter.

I can even keep driving while the whole system is rebooting. Around here (where we have many immigrants and some odd practices) I’ve seen people with a towel hanging over their screen while driving, to protect it like a dust cover I guess.

The one thing you might argue I do need from my screen is the speed, which is very easy to see and usually not needed in the flow of traffic.

The outcry against screens is just misinformed imho. My car has plenty of mechanical buttons.

Both my Bolt(RIP) and my Ioniq 5 have mechanical buttons for the most common things(media controls/HVAC)

Kia/hyundai, best EVs imho

How is a complete rebuild of a car your go-to solution to an easily accessible cellular modem powered through the fuse box

me thinks anyone with a cell phone in this year of our Lord 2024 should not say they worry about privacy in any context. instead of converting old car to EV I’d start by converting a rotary phone to a portable one :)

only worth it if you really value the environment, your privacy, but not your life

The opt-out should be pulling the telematics fuse. Unless you can audit the source code, you can't, and shouldn't, trust the software.

Apple knows how to allow one to find one’s devices without Apple knowing where they are. It’s not that hard.

More like automated ticketing for speeding.

An onboard database and a GPS receiver?

Reminds me of cookie banners. Annoy you into submission

(I know the EU doesn't mandate annoying cookie banners but unintended consequences etc)

It already is and this will go to EU courts.

VW paid "$14.7 billion to settle civil charges in the United States" and was ordered "to pay a $2.8 billion criminal fine for 'rigging diesel-powered vehicles to cheat on government emissions tests'."

https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal

European companies get fined the same as any other companies.

Not surprisingly as the EU grew out of post war coal and steel association

Yep, and this will be the end of CARIAD. Volkswagen has already b decided to bleed them to death with the Rivien joint-venture. I guess they'll shut down the rest of the operation much, much faster now. This is the perfect reason for them to do so and what they have been waiting for.

That's not how the GDPR works. Cariad may be a subcontractor (data processor in GDPR speak) for VW, but the driver does not have a contract with Cariad -- their contract is with VW (the data controller in GDPR speak). The data controller is always jointly liable with the processor for 3rd-party data breaches.

CARIAD is a 100%-owned subsidiary of the Volkswagen group.

Too big to fail and too much of it is state owned, either directly, or through government-owned retirement funds.

The government will investigate itself and find no wrongdoings, let's go after the journalists who committed the ultimate crime: Embarassing Officials.

Repo isn't a customer's concern and is thus irrelevant. Incidentally I walked to the window and I can see where my truck is without my phone. Is there really no limit to the bullshit folks will allow themselves to be convinced to install on their phones?

Those are mostly things that require the car to know its location. They don't require that the car share the location with the car's maker except possibly sharing what region the car is in.

The region sharing might be needed to efficiently update things like the map and the speed limits.

None of that requires cellular connectivity. It can and was accomplished using only wifi sync at home. Live traffic information is (was?) broadcast on AM radio.

Niche feature that shouldn't affect any other part of the car's operation if it were turned off or nonfunctional due to modem hardware shutoff.

speed limits come from a database written alongside map data

All bullshit my car shouldn't do in the first place.

What I understand from the presentation

Many Volkswagen cars somehow report telemetry. Looks like there is data not only from the EVs based on the MEB plattform? But for a Name/email to be associated with the VIN of the car, the owner has to register and use the app (once). Many EV owners did, but fewer of the non EVs did.

> The fact that you have passed audits isn't a guarantee (or even an indication) that you don't have major security vulnerabilities.

Please explain that to my IT department.

There is no reason why this can't be E2E.

Eh, "consented to" is rather weak when you are forced to hit the "I agree" button to be able to drive the car you bought. That and forced arbitration need to die posthaste.

Most likely that's illegal in DE, FR and PL. See a related thread about trains at CCC.

Ugh, I would love to see more companies bankrupted. How much more dynamic the economy might be if all of Volkswagens assets were put up for bid at government auction.

Adbusters magazine (credited with spurring occupy wallstreet with a solid meme campaign) tried to get inertia going around revoking corporate charters, stop acting like we don't have power, corporations are borne into existence by acts of government, we are not powerless to punish them for crimes against humanity (to be dramatic about it, I don't know what language would be appropriate for collecting location information for a million individuals without disclosure), but didn't see much traction about it.

https://www.adbusters.org/full-articles/rise-of-the-corporat...

One way of looking at it is that the manufacturers are acting as a cartel to prevent anyone having access to privacy.

My theory is that most people think about data misuse, perhaps unconsciously, from the viewpoint of your average good person. E.g. "if I got a hold of a stranger's bank information, then I'd be tempted to steal from them."

Instead they should think from the perspective of an evil person. E.g. "how can I proactively use whatever data that I can get to hurt someone."

For example, at a previous job I went to my managers and pointed out that every developer working on our system had access to our user's names and their involvement with racial justice programs our client was running. By guessing someone's ethnicity from their name, a bad actor could target minorities involved in racial justice. The response I got was not to fix the security issue; instead it was horror that I would ever conceive of such a scheme.

That's just bad opsec. I would have thought rule number one of soliciting was to be cash only.

Ignoring of course that the amount of aggregated surveillance makes it impossible to escape monitoring. Credit cards, license plate scanners, phone GPS, airtags, doorbell cameras, "Eye in the Sky" spy planes, etc

> An average Joe like me shouldn't be able to

The average joe is merely a side effect of the government collecting all that data. The government is also why your car reports its location.

why not have whatever dies replaced? I will probably do that with my crappy small truck from 2006.

I doubt VW cares about real time locations of all their vehicles. Only government officials at the DMV care.