Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation Government Privacy

Emails, Text Messages Can Be Retrieved From Smartphones Synced to Vehicles (theintercept.com) 71

Slashdot reader ytene writes: As reported by The Intercept, U.S. Customs and Border Protection have just spent $456,063 for a package of technology specifically designed to access smartphone data via a motor vehicle. From the article:

"...part of the draw of vacuuming data out of cars is that so many drivers are oblivious to the fact that their cars are generating so much data in the first place, often including extremely sensitive information inadvertently synced from smartphones."

This data can include "Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been, when and where a vehicle's lights are turned on, and which doors are opened and closed at specific locations" as well as "gear shifts, odometer reads, ignition cycles, speed logs, and more. This car-based surveillance, in other words, goes many miles beyond the car itself."

Perhaps the most remarkable claim, however, was, "We had a Ford Explorer we pulled the system out, and we recovered 70 phones that had been connected to it. All of their call logs, their contacts and their SMS."

Mohammad Tajsar, an attorney with the American Civil Liberties Union (ACLU), is quoted as saying, "Whenever we have surveillance technology that's deeply invasive, we are disturbed," he said. "When it's in the hands of an agency that's consistently refused any kind of attempt at basic accountability, reform, or oversight, then it's Defcon 1."

This discussion has been archived. No new comments can be posted.

Emails, Text Messages Can Be Retrieved From Smartphones Synced to Vehicles

Comments Filter:
  • No kidding (Score:4, Insightful)

    by Agent Fletcher ( 624427 ) on Saturday May 08, 2021 @05:39PM (#61363728)
    Most phones even warn of this before syncing.
    • Re:No kidding (Score:5, Insightful)

      by tomhath ( 637240 ) on Saturday May 08, 2021 @05:49PM (#61363752)

      I doubt most people understand what it means to sync with the car.

      Get in a rental vehicle, the first thing it asks is to connect. Want to use your phone's gps or play some music? Sure...connect. There's no warning that your personal data will be scraped and saved when you disconnect and return the car.

      • Re:No kidding (Score:4, Insightful)

        by Ostracus ( 1354233 ) on Saturday May 08, 2021 @06:00PM (#61363786) Journal

        This data can include "Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been, when and where a vehicle's lights are turned on, and which doors are opened and closed at specific locations" as well as "gear shifts, odometer reads, ignition cycles, speed logs, and more. This car-based surveillance, in other words, goes many miles beyond the car itself."

        Here's the thing though. If this was a regular computer there would be CVE out the wazoo, if they transmitted that much data with the outside world. Cell phone by design it's assumed you want to share everything.

      • by kenh ( 9056 )

        Why would a car collect half the information they cite? Why would it collect pictures, for example?

        • Insurance lawyers, for one, want all the black box data that the car has collected after an accident etc. Usually the cops and the judge get the info too. Here in NY that are punishing txting while driving just as hard as felony DUI, if not harder. It's a great way to lose your license. The info has been available for years regarding collecting the data.

        • by tlhIngan ( 30335 )

          Why would a car collect half the information they cite? Why would it collect pictures, for example?

          Contacts are shared with the infotainment system so you can either voice control or have your addressbook controllable via the steerwing wheel controls.

          If you want to make a phone call, you either have to interact with the phone (illegal in a number of places) or use the infotainment system. You could try to dial by voice recognition (leading to hilarious results if it picks the wrong contact), but it's easier

          • by I75BJC ( 4590021 )
            I just say, "Hey Siri, how to I get to [place-I-need-to-go-to]
            Or, "Hey Siri, phone [person-I want-to-phone]
            Where's the problem?

            The same thing happens with computers and no one bitches like is going on here.
            Oh well, That's /.
          • Not quite, Apple CarPlay does work like that, Android Auto often requires an extra app either on the phone or on the car, as most Android phones are woefully underpowered to do 5 things at once, Google decided it is best if part of the processing happens on the car.

            For example on at least one model Honda, you have to load an app onto your car-Android to get full functionality from Android Auto and yes, the car will connect to WiFi and have some functionality with your Google profile without the phone presen

      • by PPH ( 736903 )

        I doubt most people understand what it means to sync with the car.

        I'll bet Mary Jo Kopechne knows.

      • There is a warning every time I have tried. It asks to connect, then your phone asks if you want to share messages and contacts, to which I answer no. And of course I delete the phone from the car before returning it, just in case anyway.

        • by tomhath ( 637240 )
          Yes, you understand (or are more paranoid) about what the word "share" means. Most people don't think it means "upload personal data to car and let car save it offline when you disconnect"; people should think that, but they don't.
      • by I75BJC ( 4590021 )
        I receive a Warning Message every time I connect with an automobile's system.
        Even when I connect to my spouse's car.
        The message Always asks if I want to Sync the Contacts, etc.

        Why do you say that there is "no warning"?
        I have always received a Warning.
        • Asking you if you want to allow the vehicle to access your contacts, etc. is not a warning in any meaningful sense of the word. Only someone with prior knowledge of what that could imply would consider it a warning.

          It's similar to asking you if you want to go downstairs, but not telling you that the stairs are actually a ramp covered in ice.

          It's a slippery slope.

    • by Kisai ( 213879 )

      This is true, but I need to make a point here:

      - Bluetooth audio (eg your phone is used as a headset) does not sync text messages or contacts, it just acts as a headset.
      - Bluetooth sync of contacts can be blocked in iphones.

      That just leaves text messages, which again, requires that you have the phone operating as the "handsfree mode" , eg "carkit" mode such as CarPlay.

      Because (particularly in the case of Ford SYNC) it downloads the contacts and text messages if you permit it to, but because a car may be used

  • by klipclop ( 6724090 ) on Saturday May 08, 2021 @05:41PM (#61363730)
    I was just considering buying an EV, and was wondering if I can know what telemetry the car is generating, what I have access to (and deactivate) and what the car is sending back to the manufacturer without my written consent. (I'm sure they sneak in consent when you sign a purchase document). I personally run lineageos with microg on my phone, and I think I'd gravitate towards a EV where I control my data too. (I wont hold my breath though)
    • by kenh ( 9056 ) on Saturday May 08, 2021 @06:06PM (#61363794) Homepage Journal

      The issue isn't the car, it's the phone you use in the car and the data it uploads into the car.

      I charge my phone with a cigarette lighter charger cord, mainly because my car wants to play the first song in my phone (which happens to be the only song in my phone), a Stephen Colbert song - "Hey, It's another Christmas Song" (or something like that).

      Seriously, why sync your phone with a rental car - your phone GPS works just fine on the built-in screen, your phone has a speaker phone, a voice assistant, etc. - I guess wanting to stream music/podcasts over the car stereo is a reason, but there are other ways to accomplish that without sync'ing the phone, aren't there, like bluetooth?

      • by Mononymous ( 6156676 ) on Saturday May 08, 2021 @06:18PM (#61363812)

        This all happens via bluetooth.

        I've usually driven very old cars, but I recently replaced my 1994 Dodge Dakota with a few-years-old Toyota. It has all kinds of whizbangs that are new to me.
        When you pair a phone with it by bluetooth, there are 2 separate connection options. You can connect just the audio, or you can connect the phone. That latter option lets you receive calls and texts on the car display and so forth; it seems that's the setting that slurps up all this data.

      • Because voice dialing doesn't work if you don't sync contacts

        • by I75BJC ( 4590021 )
          "Hey Siri..." works great for me without uploading my contacts.
          Don't Android phones have an "assistant"?
          • Yes, but the mic in the CAR can't do it.
            The mic on the phone isn't as "careful" for the necessary speech recogniton in an automotive environment

      • by I75BJC ( 4590021 )
        Because you are hearing impaired?
        And the automobile's sound is louder and better sounding than a cell phone can produce while driving?
        Lots of reasons.
      • Making it a surveillance tool with or without your phone connected.

  • by fustakrakich ( 1673220 ) on Saturday May 08, 2021 @05:42PM (#61363732) Journal

    We have to throw away our cars after using them once?

    • I think if you are a criminal, you'd be very smart to buy a dumb car that is 20 years old +
      • I think if you are a criminal, you'd be very smart to buy a dumb car that is 20 years old +

        Speaking of which...

        • by ebvwfbw ( 864834 )

          I think if you are a criminal, you'd be very smart to buy a dumb car that is 20 years old +

          Speaking of which...

          If you still have a 93 escort wagon - yea man! That's like the perfect criminal car. Thinking of a life of crime?
          Pull the car data. Can we prove he was near Bill Gates when the pie was thrown at him?

      • Yeah, if I'm a criminal, I'm going to buy a car.

    • So buy oneself a Ford Pinto. [tortmuseum.org] Problem solved.

  • U.S. CUSTOMS AND BORDER PROTECTION purchased technology that vacuums up reams of personal information stored inside cars, according to a federal contract reviewed by The Intercept, illustrating the serious risks in connecting your vehicle and your smartphone.

    Uhm, OK

    The ACLU’s Tajsar explained, “What they’re really saying is ‘We can exploit people because they’re dumb. We can leverage consumers’ lack of understanding in order to exploit them in ways that they might object to if it was done in the analog world.’”

    Yes, a large number of criminals are caught because they fail to appreciate they leave behind DNA, hair, etc., or that their cellphone reveals their location whenever it's turned on, that traffic cameras record cars passing under them, CCTV cameras record their activitesin public, etc.

    We catch many criminals because of their ignorance about the world around them.

    MSAB claims that this data can include “Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been.”

    I'm hard-pressed to believe that cars are downloading pictures, videos, social media feeds, and my contact lists - to what purpose?

    The easy

  • by kriston ( 7886 ) on Saturday May 08, 2021 @06:04PM (#61363790) Homepage Journal

    Seriously, who DIDN'T know this?!

    • by lazarus ( 2879 ) on Saturday May 08, 2021 @06:29PM (#61363824) Journal

      Almost everyone. A couple of years ago I was in a hotel and was taking a call in the complimentary "business lounge" on my cell. While chatting I booted up the PC that was in there and checked the browser history. First hit was a bank. Clicked on it and the browser auto-filled some person's username and password and I was looking at their accounts.

      I spent the next 20 minutes removing saved passwords and history from every browser on the machine and trying to turn off those options. People are dumb.

      • by Anonymous Coward

        Almost everyone. A couple of years ago I was in a hotel and was taking a call in the complimentary "business lounge" on my cell. While chatting I booted up the PC that was in there and checked the browser history. First hit was a bank. Clicked on it and the browser auto-filled some person's username and password and I was looking at their accounts.

        I spent the next 20 minutes removing saved passwords and history from every browser on the machine and trying to turn off those options. People are dumb.

        No, they are just uninformed about computers, much like you are uninformed about all manner of things those people might be experts at. The real dummy here is the badly educated IT person who left autofill activated on that PC and the miserable excuse for a manager who hired him so that he could underpay the guy in order to improve the corporate bottom line by a billionth of a percent.

        • No the real idiots are the people who just must check their bank account that regularly even on public computers. Why whats the big rush that cant wait until they get home ?
      • by I75BJC ( 4590021 )
        Yes, and that's why we all have jobs.
        Who wants to know enough to repair everything that they own or use?

        BTW, "Thank You!" for cleaning the history and changing the settings so that this information isn't retained!

        Wouldn't it be nice if all of us who are aware of browser settings took the time to change the settings to make browsing safer and more secure. Yes, I know it takes several minutes to do this but it helps the people who use the browsers after us.
      • Perhaps it is just that I've dealt with hotel management before (in a convention client context):

        I would have cleared the display, dragged the nearest hotel staff over to the computer, and shown them exactly why I was concerned. ... and then demonstrated how to clear and lock down each of the browsers on the system.

        The words "you have a potential lawsuit situation on your hands, let me show you how to prevent it" are magic. But "clearing all the computers yourself" is a "give a man a fish" solution. It al

  • Every one Iâ(TM)ve rented past few years needed to have a phone or threeâ(TM)s data scrubbed.

    • Last car we rented, when I synced my phone to stream over bluetooth the car's radio has like 200 (I think the maximum number) of phone book entries in it. Everyone else who rented it synced their contact list until the radio was full. I chose to sync nothing.
  • Not to have a "smart" phone. Granted, you could always not sync your phone to the car, but considering the people we're dealing with, that is clearly not an option.

    Flip phone for the win.

  • by JeffOwl ( 2858633 )
    If CBP is following the law, this isn't a problem on their end. (That is to say, if they use this with a warrant or in specific situations where they have enough cause that they do not need a warrant.) Blame the makers of cars and cell phones. For one... If I want to let the car access my IM's and call logs and such for convenience while driving (I don't, but if I did) there is no reason to have the car store a record of those.
  • by bill_mcgonigle ( 4333 ) * on Saturday May 08, 2021 @07:43PM (#61363968) Homepage Journal

    I never sync with a rental car and I'm always amazed to find all that info on the "radio". How they don't do a factory reset after a return is beyond me. Somebody's gonna sue them.

  • by redback ( 15527 )

    well duh!

  • Are there codes or dash switch combinations for every car that resets its memory back to factory default?

    All settings wiped: bluetooth, saved location data, engine performance, when it was used, how fast you were going, etc ... everything, as if it were new from factory.

    • Why do you need to connect your phone to a rental car ? Surely your life wont end if you dont connect, and even if you really need to make a call, use the phone.
      • by I75BJC ( 4590021 )
        Deaf and hearing impaired people find sync their phones with a significant better quality sound system a great benefit!

        Some people want to make calls legally -- in those places, like the state where I reside, that have outlawed "hands" calls.

        Some people like the convenience

        Why do you think that everyone has the exact same needs, desires, and wants as You?

        It's Really Not A ONE-SIZE-FITS-ALL World
        Or didn't you realize that fact?
        • > Deaf and hearing impaired people find sync their phones with a significant better quality sound system a great benefit!
          Yeh because one moment without a phone call is the end of the world.
          > Some people want to make calls legally -- in those places, like the state where I reside, that have outlawed "hands" calls.
          if they cant wait why are they wasting so much time driving ?
        • > Why do you think that everyone has the exact same needs, desires, and wants as You?
          Why do you think everyone is deaf or hearing impaired so they ALL need to sync with a car ?
  • So if someone makes this kind of device, does that mean there is a market for a data scrambler? For when you return your car to the rental agency, or want to tell the CBP to get stuffed when you cross the border, for example.
  • Why does a car need to suck half your phone including your email to function ? Surely the car software can be dumb and connect as needed so nothing is stored locally.
  • Maybe you don't like a particular person. Make sure you send lots of incriminating texts. Thus you can have fun. Better is that the comms stack - run a pen test against it, then edit texts and max car speed data. Misinformation is power.
  • by ytene ( 4376651 ) on Sunday May 09, 2021 @02:37AM (#61364716)
    One of the aspects of this that struck me was the potential for an organization like CBP to use, say a rental car to target a suspect.

    The recent slashdot story that covered the reverse engineering performed by Moxie Marlinspike’s of Whisper Systems against the Cellebrite code included mention of the fact that the Cellebrite application appeared to be making use of an iTunes library [hinting that it may have been illegal use of the library.

    That suggested to me that part of Cellebrite’s strategy was to trick the handset in to thinking that it was being connected to an iTunes instance that it could trust. Now, it doesn’t follow that an iPhone will automatically “trust” a vehicle to which it is connected, but suppose that vehicle originally had Apple CarPlay running in it, but CBP and/or their third party were able to maliciously hack the CarPlay?

    If they were able to do something similar to Cellebrite, maybe that would explain how so much and such varied data was being accessed by the vehicle?

    If so - and, again, this is all supposition, Apple need to further harden iOS and iPadOS such that before a connection is accepted, each end of the link need to be able to prove that it has not been tampered with, maybe by some form of mutual authentication test.
  • Look past what's being "revealed" in the OP and the linked article. It isn't the fact that cars are scraping all this data from the drivers' phones that should be worrisome.

    It's that the phones are not only capturing all this data, but are so easily scraped.

For God's sake, stop researching for a while and begin to think!

Working...