Honk If You Love Privacy! (Too Late, Your Car Already Told On You)

[00:00:20] Hello everyone and welcome to Kilowatt, a podcast about electric vehicles, renewable energy, autonomous driving, and much, much more. My name is Bodhi and I am your host. And on the next three episodes, I have something special for you. So I sat down with Tom Merritt of the Daily Tech News Show and we talked about Chinese EVs. And basically Tom wanted to talk about affordable Chinese EVs. And as far as I'm concerned, that's a pretty broad topic.

[00:00:49] And we had about five to seven minutes to cover this very broad topic. So I wrote a bunch of notes up because I didn't know exactly what Tom was going to want to talk about. Obviously, it was a lot. And we had our conversation and at the very end, I said, hey, listen, I have a bunch more notes. Are you interested in looking at the notes? And he said, sure.

[00:01:11] So I sent Tom the notes and he went through what he thought would be interesting, which was cybersecurity or potential privacy risks, EV technology and innovation, and why BYD or specifically Chinese EVs are so cheap. Like why don't they cost more?

[00:01:31] So that is what we're going to cover over the next three episodes. And we're going to start with the potential privacy security risks. And actually, to be honest, this is more about all EVs or any connected car and less about the Chinese market. Although we will talk a little bit about that. So I found a Wired article from 2023 entitled How Your New Car Tracks You.

[00:01:58] And Wired took 10 of the most popular cars in the US and ran their VIN number through Vehicle Privacy Report. And I'll put a link to that in the show notes. The website address is VehiclePrivacyReport.com. And what it does is it'll show you what identification these manufacturers are collecting on you.

[00:02:19] So just to give you an example, I put the VIN number of my Tesla into Vehicle Privacy Report and I get a little dashboard that comes up and it says Tesla data practices. And then the first one that comes up is identifiers and it says, yes. Well, what does that mean?

[00:02:37] It says that the manufacturer discloses that it collects identifiers. So right there, we know that Tesla is going to collect my name, my address, my region, my email, phone number, blah, blah, blah, credit card information. The next one that comes after that is biometric. And for that, it says silent. So they didn't find any quotes by the manufacturer in public documents that says that they collect any biometric information. So that's great.

[00:03:05] So if you're interested in what kind of data your car is collecting on you, this is a good place to go. It's VehiclePrivacyReport.com. And since Wired used them, I trust Wired. I didn't do any research into VehiclePrivacyReport.com. But since Wired trusts them, I trusted them. Maybe that's a mistake. But yeah. Anyway, here are some of the other ways that Wired says that they collect you with your contact information.

[00:03:30] We already went through that. Your radio presets and listening preferences, your driving behavior. Did you wear your seatbelt, trip logs, precise location, biometric data, like I said, which is in most cases like face recognition. Again, if you're curious about what your car is reporting back to the automakers, you can go to this site and check it out.

[00:03:51] But in August of 2024, Texas Attorney General Ken Paxton filed a lawsuit against GM for selling driver data to insurance companies without owner's consent. But the lawsuit alleges that GM was telling customers that the data that was being collected, excuse me, would be used to improve safety and functionality. And maybe that's partly true, too.

[00:04:17] But they also may have sold that information, and it sounds like they did, to insurance companies. And in turn, those insurance companies raised the rates of certain GM drivers that they thought were a little bit more risky, even though these drivers had not had an accident or a moving violation.

[00:04:35] And recently, GM agreed that they would collect data on their customers, but they would not be selling that data about their customers to third parties for a period of time. And I think this was part of the settlement or whatever ended up happening with that.

[00:04:52] But anyway, not great if you spent, you know, let's say, let's be generous, $35,000 on a vehicle, and that vehicle is spying on you and making your insurance rates go up. Even though you didn't do anything technically wrong, you just did something that the insurance companies feel is more risky. So, yeah, that's definitely a problem.

[00:05:18] And then this is another story that involves Tesla, and we actually talked about this when it happened, but it's worth mentioning again. According to nine former employees that Reuters spoke with, and these are Tesla employees, they were data labelers, to be more specific. But the data labelers were sharing videos and images from Tesla vehicles on the company's private messaging system.

[00:05:43] Now, this seems like it's fine, you know, if somebody is like, hey, I don't know how to quite label this, or what do I need to do in this situation? That's totally normal. But some of the content that was shared included pictures of a dog, of dogs, and they made those into memes, so that's fun. Employees could see into owners' garages or property, which is, you know, not wonderful. There were people doing their laundry.

[00:06:11] There was a naked man who was approaching the vehicle. And then there was even a video shared of a child riding a bike that was hit. One of the Tesla vehicles had hit the child. So this is obviously not going to pass the headline test. One former employee even mentioned that they could see where the recordings were taken, which is even creepier if you have some data labelers who are maybe not, I don't want to say this, maybe they're not good people.

[00:06:41] And they've decided that they've taken an interest in one particular person and they want to stalk them. That can be pretty creepy and in some cases dangerous. So, but to be fair, Reuters also said that they talked to some Tesla employees or former Tesla employees. That said the only sharing of images and videos that they were aware of on the messaging system were for work purposes only.

[00:07:11] We are Teresa and Nemo. And deshalb sind wir zu Shopify gewechselt. The platform, the we before Shopify verwendet have, has used updates, which have often been used to have to do that, that the shop didn't work. Endlich makes our Nemo Boards Shop also on the mobile devices a good figure. And the illustrations on the boards come now very, very clear about what us is and what our brand also makes. Starte dein Test nur heute für 1 Euro pro Monat auf Shopify.de slash radio.

[00:07:44] Okie doke. That wraps up our privacy portion of this episode. Let's go ahead and get to the security portion. Now, before we do this, I need to warn you. I am no Bart Boo Shots when it comes to security. I am just your average dummy when it comes to security. So, I am going to give you the basics of basic. And, yeah, we will start with that.

[00:08:13] So, when we are looking at our connected cars, we should not think of them as cars, but actual connected devices like our phones. Hacking cars, at least in recent history, is not all that new. There were a number of different key fob hacks where someone is able to actually get into your car. Car companies figured this out pretty quick.

[00:08:37] And now there's, you know, encryption and a rolling code system and, you know, an algorithm with like pseudo random code and a bunch of other stuff that goes along with that. So, I don't think unless you're, you know, specifically targeted, I don't think that's going to be anything that most of us need to worry about at this point.

[00:08:56] But it should go without saying that hacking a vehicle is a lot more high tech nowadays because all of this connected data and there's different ways to get into the car and there's different ways to access that data or possibly wreak havoc. So, Pwn2Own in Tokyo, there was a hacking group.

[00:09:16] They're called PHP Hooligans and they were able to exploit 24 zero-day vulnerabilities, not only in Tesla's wall connector, but other companies' wall chargers as well, like ChargePoint, Wolfbox, Autel, just to name a few. And basically, they were able to crash the charger. Now, is that a big deal? Probably not. But could that lead to other things? Probably. A lot of these wall chargers are actually connected devices.

[00:09:46] So, if you just leave the Wi-Fi open, you're leaving yourself up for, again, a targeted attack. It is possible, I guess, if you have it on your home network and your home network's secured, they could somehow hack into it. But, again, I think you'd have to be targeted or it would just have to be out there.

[00:10:06] Like, somebody at these companies would have to do such a poor job of securing their device that it would just be easily accessible by anybody and they could just randomly crash it. I don't think that's what happened here. And then, one more story on hacking here. In 2022, security specialist David Colombo, who was actually, he was like 19 at the time, he was able to remotely hack 25 Teslas all over the world.

[00:10:35] He got the owner's permission to hack the car, which seems like, to me, he already hacked it if he was able to get the owner's permissions. But he did. He used a third-party open-source software called TeslaMate that does data logging. And through TeslaMate, David was able to view Tesla's source code and found that it gained access to actual vehicle data. And he was able to control some things.

[00:11:01] He found that the login credentials are exchanged for a token, and the token was unencrypted and stored in an unsecured database. Again, I'm a little bit over my skis here, so don't ask me any follow-up questions here. But he was able to use the TeslaMate software to access certain kinds of data. So, TeslaMate as a program is not nefarious. It's open-source.

[00:11:30] A lot of people use it. I don't. But TeslaMate was gathering, you know, easily accessible or publicly accessible data like charging statistics. David was able to use that same API to get access to Tesla's unsecured tokens and was able to see the vehicle location. He was able to turn off sentry mode. He was able to unlock doors.

[00:11:58] He could enable keyless driving, even if the pen-to-drive feature was turned on. So, yeah, it's kind of a big deal. Tesla and TeslaMate responded quickly when David notified him about the vulnerability, and they patched it, and that vulnerability no longer exists. But there's a lot out there.

[00:12:18] And then in terms of, and I guess this is more for privacy, but in terms of, you know, governmental spying, In 2018, the Associated Press reported that EVs in China were sharing near real-time information back to the Chinese government. And this has been happening since the Beijing Olympics in 2008.

[00:12:43] So this includes over 200 auto manufacturers. It's only EVs. The automakers don't have a choice. If they want to continue to operate in China, they absolutely have to share the data back to the Chinese government. And this isn't something that China is, like, denying. A Chinese official actually went on record to say that they're using this information for public safety,

[00:13:13] development of infrastructure and planning and preventing subsidy fraud and all this other stuff. Now, as you can imagine, there are people who are concerned about what the Chinese government is doing. They see this as, you know, surveillance, security, possibly undermining foreign car makers. I don't think that last part we've seen any evidence of.

[00:13:38] But, you know, we do know that China has this social currency system. There's cameras everywhere, as we were talking about on one of the previous episodes, where Tesla owners using FSD for the first time in China were getting hit with all these tickets and fines because of the way that the car was driving, even though there was no, you know, police presence around. These were all caught on the camera, on cameras.

[00:14:07] And, you know, nothing bad about Chinese automakers, but I would be concerned about a Chinese vehicle that sold outside of China. Is that data going back to the Chinese government? The answer is probably no, but that's something I would be concerned with for sure. I'd want to have an answer before, you know, if I was in charge of the world, I'd want to have an answer before I allowed that particular Chinese manufacturer operate

[00:14:36] in whatever country they wanted to operate. But that kind of goes the other way, too, which is in 2021, Tesla vehicles were restricted on Chinese military bases because they have cameras and they upload data to Tesla servers, which are, I imagine, all over the world. But one of those places is the United States, which, you know, we're frenemies with China at the moment.

[00:15:05] It sounds like those bans have expanded to include venues that are affiliated with the Chinese government. And if I was just going to use the U.S. for an example, you know, if we ever had a Chinese automaker come here, you know, aside from what Chile does with Volvo and Polestar. But if BYD came here, for instance, I would not be surprised if there was something that came down from the U.S. government

[00:15:35] that said, hey, these Chinese vehicles are not allowed on military bases. That makes total sense to me. All right. Now that I've poorly explained the security concerns, what are some things that you could do to protect yourself? Well, one is you should protect yourself against social engineering. All of these things that we're going to talk about are the same things that you should protect yourself with any electronic device. So if somebody calls and says, hi, my name is Joe. I'm with Tesla.

[00:16:05] And we see that your Model 3 is, you know, low on charge. Why don't you give us your login information? We can help you out with that. That's probably not Joe from Tesla, you know. So we want to be careful with who we give our information to, whether that's through an email, a phone call, even in real life. Social engineering doesn't just happen online. We want to use strong passwords.

[00:16:31] You know, I know that Allison Sheridan hits this a lot, but use a password manager. Apple has a password manager. I'm sure Android has a password manager. But 1Password, and there's some other companies out there, I use 1Password myself, that are really good. And they give you, they allow you to create complicated passwords and store them. And they make it easy for you to log into websites and stuff. So you want to use strong passwords.

[00:16:57] And then don't connect anything random or, I should say this, don't connect any random unknown devices to your car that you're not absolutely sure isn't somehow sending your data back. So that could be connecting it wirelessly to your car, USB, OBD-II port, which is the diagnostic port. You know, I talked to a company, the name is escaping me at the moment, at CES.

[00:17:25] And they had a device that you connected to your OBD-II port. And then it gives you like this dearth of data on your vehicle. And if you're a data nerd, that's really appealing. However, and I don't know if this, I'm sure this company is totally reputable. But if you did this with a company that wasn't reputable, where's that information going? How, you know, you got to be really careful with that.

[00:17:51] Same thing if you connect something via USB or wirelessly to your car. You just got to be really careful. And this next one I'm very guilty of. My car connects to my Wi-Fi when I'm at home, which is fine. When I leave, it's still searching for my home network. So my Wi-Fi is still on. So there is a potential that if I don't turn off this feature before I leave my house, that's a vector for me to get hacked.

[00:18:21] It just is. And I would imagine Bluetooth is the same way. And then, you know, keep your vehicle updated. And if you have one of those wall chargers that's connected to the Internet, make sure to keep that updated as well, because that's really important. And then this last one, I don't know how many people would even consider this, but don't jailbreak your car. Or it's probably not a good idea.

[00:18:50] If you don't know what jailbreaking is, is like if you back in the day when before Apple had apps, before they had an app store, I should say, people would jailbreak their phone and put a third party app store on their phones so that they could gain access to some really cool apps that people built. Unfortunately, there was probably some of those apps that weren't so safe.

[00:19:12] But I would imagine that people would do something similar, jailbreak their car to gain access to features that, let's say, Tesla was keeping locked behind a paywall like full self-driving or the ability to, you know, go from zero to 60 in an extra 0.3 seconds. So, yeah, those are just some things you could do to protect yourself. Obviously, I am not a security expert. I am not a privacy expert. So hopefully you found this interesting.

[00:19:43] My goal is for it to be interesting. I'm going to put links to all of the sources, to all the things that I talked about in the show notes. And if you have questions, please feel free to email me. It's Bodie, B-O-D-I-E at 918digital.com. And then you can also find me on Twitter at 918digital.

[00:20:05] And, yeah, if you want to support the show, if you liked what I've done in March where I've taken the month off, although I'm still recording. It's March 5th. I'm recording this episode. And I'm probably going to be recording all the way to March 6th. If you liked what I've done for March and you are not a patron, go to patreon.com forward slash kilowatt or support kilowatt.com and sign up and support the show.

[00:20:34] For as little as a dollar, all of the ads go away. And that might be something that some of you are interested in. And just a tip. If you become a free member, every now and again, I release one of these episodes for everybody. So you at least get an occasional episode where it's ad free if you go to patreon.com. For ACAST, that's a harder thing to do.

[00:21:04] So you can't sign up for a free membership at ACAST. But if you go to patreon.com forward slash kilowatt, you could definitely do that. All right, everybody. That is it for me this week. On our next episode, we are going to talk about EV technology and innovation. And really as it relates to batteries. So I'm looking forward to sharing that with you. Thanks, everybody. Have a great day.