alt Hacker NewsModern cars are spying on you. Here's what you can do about it
Comments
I found the vehicleprivacyreport.com site awfully misleading. The "Vehicle Privacy Label" only lists what the manufacturer's current policies are, not what applies to my vehicle. It makes it seem like Toyota is somehow remotely collecting and sharings tons of information about my...2007 Prius. But this car came out in 2006, well before people assumed easy internet connectivity everywhere. Shy of having physical access to my vehicle, they can't read anything, but it's not easy to find that explanation on the site.
I think it's wild that people spend their own money to surveil themselves every second they're near their car. Maybe I've seen too much lawyering on TV and in movies, but if I'm in a collision with you, I'm definitely asking the cops to pull the SD card from your dashcam.
Whenever I point out I think this self-surveillance is crazy, the response ends up sounding something like "oh, no big, if I think I did something wrong I'll just hide the evidence and lie to the police and say it doesn't work", which sure doesn't sit right with me.
My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.
The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.
I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.
Remove the antennas. Do not give in to the mirage of convenience.
Use a stand alone generic GPS. Vehicle GPS devices are anti privacy for so many reasons.
Listen to stored music from an SD card if terrestrial radio (NO SATELLITE). Did you know almost ALL late model cars can play a <128gb FAT32 USB drive with non- vbr mp3s? 64gb filled with 168kb mp3 audio would take roughly 3 years at 4 hours a day to listen to.
TURN YOUR PHONE OFF. Your phone does more than track you - the Bluetooth and wifi beacon scanners are always running. When you come across another person, most phones track the intersection of your beacon with theirs making a new data point that compromises both individuals privacy. Now consider sitting at a stoplight; you and and the 10 phones around you have now correlated the time and position you were sitting there. The person jogging by with no phone(but a set of Bluetooth headphones) is also tracked by their Bluetooth signature. Terrifying.
Disable autonomous driving hardware by unplugging the cables from the interior cameras. If your car needs to see and feel you in order to do it's job, it's co-dependent; break up with it.
Ignore your car's complaints and error messages. Did you know Orange dash error lights are non critical?
as a professional diesel mechanic for a small chain of midwest shops, this "telematics" feature is on long-haul trucks as well as tractors (john deer is notorious for using it to send mail marketing about services.)
generally its not hard to disable.
- identify the telematics module in your car - pull the fuse (not always an option, sometimes this disables bluetooth)
- alternatively: identify the 1-2 SMC connectors on the telematics device. this is the LTE and low/alt channel for the cellular communications. disconnect these 1-2 connectors and connect the ports instead to a 50 ohm terminator. the vehicle will simply continue to collect data but never be able to send it anywhere. the system will assume it just cant find a tower.
I thought about getting a traditional navigator to avoid even relying on phone navigation.
Well, of course all the Garmins and Tomtoms available now have "built-in wifi for updates" and often BT for phone notifications too. Sure, I could just not configure either but what if I want a navigator _without any radios_ and with controlled updates via SD card.
Maybe a dedicated Android phone in the car with offline OpenStreetMaps installed and airplane mode on is more realistic. Or some old 2nd hand navi that's still updateable.
Amazingly but perhaps not surprisingly, cars in the EU do similar amounts of spying on you, but the EU is silent. Car manufacturers pretty much run the EU.
Disabling the hardware can be really hard, my 2025 Toyota Sienna is always connected. You can't just pull a fuse or rip out an antenna, I have to take the entire dashboard apart to reach the Data Communication Module (DCM) module. If anyone's curious what that looks like, it's a little bit easier on the Toyota Tacoma, here are some pictures of the process: https://www.tacoma4g.com/forum/threads/disabling-dcm-telemat...
It's complex enough that I haven't done it yet in my Sienna, but I plan to!
I have an electric car and if I want to remotely turn on charging, it won’t allow me unless the full data sharing option is enabled. Full data as in your driving data like a black box logger. I then have to go in the car, enable it, then I can remotely turn on charging. I have to remember to opt-out again later. Ironic I know because I can turn on charging from within the cabin without having to enable any of the data collection. What an inconvenient experience.
I wonder what the extremely rich do to get a car that isn’t a security risk? I’ve heard you can throw money at high end car dealerships to disable spying, but I wonder what the internal process is.
I won't mince words. This is criminal and should be dealt with that way. It is obvious I don't want my information collected and sold. I make it clear every reasonable chance I get. This goes beyond abuse of my privacy, this is digital assault and the company officers that allowed these 'features' should be thrown in jail for it.
I'd like to see a website that ranks vehicles by make and model. That would influence shopping behaviors, and consumers would influence manufacturer behaviors.
The Chevrolet Express dash hasn’t changed since 1995. You decide if you want windows, 12, 15 or no seats. Also the perfect car for TOR users.
Not driving seems to have worked pretty well thus far.
The problem is that with Flock, you’re basically being tracked incessantly anyways, so who cares if the automaker also does it?
Here is something else you can do about it. By an older low mileage car. If we all did that the manufacturers would change tack soon enough
Is all of this data collection from the driving aids actually us doing R&D for their autonomous car projects?
IIRC, Massachusetts passed a right-to-repair law a few years ago. Based upon the text of the law, all new cars purchased there have the spying disabled because they did not want to give up their proprietary info.
There have been a lot of court cases about that law by the manufacturers, so I do not know the status at this point.
So I wonder if that is still the case. If it is and an out of state person buys new there, will that "spying" remain disabled when they bring the car home ?
I went to Carvana to get some idea on what my car might be worth. I gave them the license plate, and it gave me a questionnaire about specific trim and options along with asking about the current mileage. I couldn't remember the exact figure so I guessed rounded to the thousand. The app complained and wouldn't take it as they knew the mileage which was some 150ish miles more. Apparently my car has reported the mileage last time I drive it, which has been about an hour before.
Carvana knew exactly how many miles I had driven within an hour of me driving my car.
Is there anything we can do about it short of avoiding new cars? Our legislators have proven unwilling to pass real privacy laws.
How do you write an article about this and not mention the GDPR or EU privacy laws?
>"It’s hard to figure out exactly how much data a modern car is collecting on you"
You are a globally operating news agency. You can absolutely get some GDPR requests in and look at it. What kind of reporting is this? "We don"t know, but we also have not tried the one way which forces companies to answer this question".
BMW is a German company, just ask them for the information they have on you and they are forced to give it to you.
No doubt about this one. But, how much are the ubiquitous ride-for-hire e-scooters spying on you, and everyone else on the street?
There is spying and there is spying
Back in august IDF banned Chinese cars from entering bases
https://www.jns.org/report-idf-bans-chinese-cars-from-bases-...
And now banned then from used by officers
https://securityboulevard.com/2025/11/why-israel-just-banned...
I wonder what IDF knows
The problem is a lot of the features of these cars require you to opt into giving your privacy away. And when you’re shopping it’s not clear where that line is.
A 2013 Chevy Volt has a camera on the dashboard pointed at the driver. The entertainment dashboard has a dozen communication options, including those for safety? Zealots and the unhinged will quickly comment no doubt, but for the rational citizens I ask, when was this normalized? Was it automakers emboldened by the acceptance of cell phone central record keeping?
nothing. And banning ALPR wont fix anything either. All cars have 4 unique serial numbers broadcast via radio at all times via the TPMS system. you don't even need a camera, just a radio receiver.
so ya!
My house is fairly close((125') to a rural "highway", and only internet here is mobile data that my phone shares with other devices and mornings(anytime) my older desktop with 2.5 ghz wifi gets bumped off with the passing of every car that has glaring supper white headlights,but, not the ones running yellow incandecents, whatever rf signal is comming of these things must be barely, or completly illegal, and could obviously be tracked in any number of ways, so not so much bieng spied on, as just flat out trasmitting everything you do in ridiculously fine grained detail.
The car data collection story is concerning, but it's part of a broader pattern: credentials and personal data are scattered across dozens of services we interact with daily.
The automotive example shows how even "non-tech" products now collect and transmit data. Each service creates another attack surface, another set of credentials to manage, another potential breach vector.
What's frustrating is that breach response still falls on individuals. When one of these services gets compromised, it's users who have to scramble to change passwords across potentially hundreds of connected accounts. The "change your password" advice is good but wildly impractical at scale.
I worked on the data platform at a smaller car co, and there were tight controls around getting access to precise geo data, and there were strong privacy advocates at higher levels. Wasn’t a perfect system, but “spying” would be far from what I saw