* Automotive head units are just embedded computers. Most run Linux, QNX, or Windows CE, with some proprietary UI system on top.
* These machines usually store data in an onboard database in flash (sometimes just SQLite).
* Sometimes, phone data is captured using standard Bluetooth mechanisms (Message Access Protocol MAP and Phone Book Access Protocol PBAP) which require authorization on the phone side. Some vendors implement an additional "are you sure you want to share your information" check on the head unit side, and others don't.
* This data is cached on the head unit so that finding a contact to call or reading a text message doesn't require 10 minutes worth of Bluetooth nonsense.
* Some vendors inadequately purge this cached data when a Bluetooth pairing is removed from the head unit.
* Berla sell data extraction exploits to law enforcement, just like other forensics vendors do for mobile phones. Sometimes this can extract latent data and sometimes active data.
My advice:
* Never authorize a head unit to download your contacts or SMS.
* If you use a rental car, Factory Reset the head unit when you leave.
That's decent protection for most people. I didn't find any evidence pointing to a central server upload, a conspiracy to build an LE database, etc. It's just typical crappy hardware manufacturer-made software leaving data around that shouldn't be left around, creating an opening for forensic vendor exploits to slurp the data.
This is such an early 2000s idea. I'd much rather my car act as a dumb display that shows a copy of my phone screen then an intelligent agent that tries to replicate functionality already extant in my phone.
I was told that the infotainment systems were where a large chunk of their profit came from and differentiating their experience was important to the car company.
Of course, they wanted to use decade old CPUs and touchscreens to save money, so the experience was horrible. I left shortly after CarPlay was announced and our response was "That will never catch on."
All we need is a place in the dashboard to mount our phones. Phones already have big-ass touchscreens and anything else we want... except of course now the audio outputs have been removed.
We should simply have a well in the dashboard with replaceable inserts that snap in to accommodate different-sized phone models, which would connect to the audio system and power. But no... we still have phones bouncing around in the cabin or attached to hokey third-party claws, and janky-ass Bluetooth which (how many years in now?) can't handle simple music playback reliably.
Every car in my household has an auxiliary input for audio and no support for audio over Bluetooth. One is a 2013 Mini, so it's not as if they're ancient.
And that's just fine. And if it MUST be overcomplicated, then yes... AirPlay seems to be the way.
If I rent a car, I won't pair my phone at all, even going so far as to use a car charger instead of the provided USB ports.
i didn't even like having my phone data sunk to a my own personal car. it just made no logical sense on why that would be useful, so being me, i just assumed it was for nefarious purposes. people no longer get the benefit of the doubt of being lazy/incompetent. i immediately jump to the situation essentially being an attack vector.
Driving in the country was fine with just audio navigation, but I had to connect my phone to get the display once I was driving in a big city. "Take the freeway exit" "Use the right lane" "Use the left lane" was coming too quick if I relied only on the audio.
Stallman was right, about nearly everything concerning power, companies and governments using it, and the role the citizen is viewed to have in such a limited capitalist view.
Without government mandates to open the source of every chip and firmware, none of the modern hardware we use is trustable.
* There's an obvious, legitimate want for the vehicle's head unit to ingest this data, in order to display a UI (or provide a voice UI) which allows the user to call a contact by name or read a recently received text message. Is this a poor implementation concept which has mostly been supplanted by better implementations (Android Auto / CarPlay), sure, absolutely but it's not some thing that was added for the express purpose of "stealing" information. It's a long-standing set of features which use obvious, standardized Bluetooth technologies to fill an obvious, straightforward user need. Nothing weird there.
* There's no sign whatsoever that there was any collusion with law enforcement in the construction of these systems. They're just badly implemented, vulnerable software which is exploited by a forensics vendor (just like literally every other piece of hardware and software under the sun).
I, for one, simply wouldn't believe any such claim. Too much deception has already happened for there to be any trust left.
By extension, that means it is 100% legal for anyone, including any branch of any government to get a copy of your call and text history.
Always has been
> Here's the fix that 95%+ of the users impacted will never use
Hopefully you only had HN users in mind while writing your comment, otherwise you've intentionally downplayed one of dozens of security & privacy risks "our moms" are dealing with daily.
That is ridiculously onerous! Just because geeks can share arcane knowledge about how to be safe does not mean that this isn't horribly anti-consumer.
So it's effectively legal to sell backdoored hardware and software to spy on people. I wonder what would happen if I sold backdoored phones to Volkswagen employees, execs, and their children. To judges and politicians and lawyers. A-OK until there was "actual injury", and even then, it is only the injury that would be wrong?
It says “a plaintiff must allege an injury to ‘his or her business, his or her person, or his or her reputation,’” with “a bare violation” of the privacy law being “insufficient to satisfy the statutory injury requirement.”
It is particular to Washington state, not all Americans. And it may not apply to a prosecutor versus private plaintiff.
[1] https://www.documentcloud.org/documents/24133084-22-35448
Had the whole state pay for a stadium and a tunnel, in Seattle. So, pointless use of taxes and other wastes of my contributions.
Sadly, not an actually progressive place aside from Mutual Combat laws.
WA has a referendum system, though, so if people in WA care about this, you can get something on a ballot and vote it into law.
Hah! No, they argue that the injury is right.
For example: https://www.cbc.ca/news/politics/sikh-nijjar-india-canada-tr...
After the diplomat assassination kerfuffle, it appears that Canada invoked a communications backdoor for national security purposes. It's hard to feel bad for the dimwitted killers who plotted the entire thing on a smartphone, but it's also a statement about how widespread and de-facto surveillance is today. Even when backdoors surface, we shrug them off.
So... yeah. Until there is actual injury, and the injury isn't someone who people don't like and also don't care about. Then it will be a problem, and God help us all then.
e.g. that fact that there's a local call/message log on the car, and the car also has a mechanism for transmitting some data, does not mean that there's a privacy violation given that the car does not transmit the call/message log. That's the only reason this lawsuit got thrown out. It would be like saying "my phone receives messages, and stores those, and could transmit them to apple/google, therefore I should be able to sue them for the privacy violation they could do".
As far as I can tell, the car itself doesn't have a mechanism for transmitting data. It just stores the data.
Transmitting only happens if/when someone gets some Berla "vehicle forensics" hardware and physically connects it to the car. The Berla equipment would do the transmitting.
From the complaint linked to by The Register[1]:
> 26. Third party Berla Corporation (“Berla”), based in Annapolis, Maryland, manufactures equipment (hardware and software) capable of extracting stored text messages from infotainment systems in Honda vehicles.
> 27. Berla also manufactures equipment capable of extracting stored call logs from infotainment systems in Honda vehicles.
> 28. Honda infotainment systems thereby transmit stored text messages and call logs to Berla.
And from Berla's web site[2]:
> An acquisition may require systems to be removed from a vehicle and disassembled or be performed in place in a vehicle. In either case, acquisition hardware must be attached to the vehicle or system to acquire data.
---
[1] https://regmedia.co.uk/2023/11/09/honda-infotainment-class-a...
This is frankly a shortcoming of trying to use civil law for something like this. As far as I'm aware, this is nearly always the case that you have no grounds to sue unless you've suffered quantifiable monetary damage from someone's actions. If we just want this kind of thing to be generally illegal, then it needs to be made illegal according to criminal law or it needs to violate some law overseen by a government regulatory body with the power to levy its own fines.
I am extremely skeptical of this, no matter what this judge says. This seems to be a clear case of illegal wiretapping [1]. Having an illegal act perpetrated upon one, whether it is wiretapping or assault, seems a very clear "injury". It is baffling that there would have to be some kind of financial price attached to be recognized as harm by a court. A disgusting reduction of justice to mere finance, something I would expect from the cartoonishly greedy Ferengi of Star Trek, than a real court.
Where is this being done without authorization?
I think the title is misleading. Unless I'm missing something, it sounds like the decision wasn't that it's legal to harvest text and call logs, it was that these cases did not demonstrate an injury was caused as a result of doing so. Presumably if the plaintiffs proved some injury other than not wanting it to happen, things could have been different.
It would be nice if some regulator would mandate an "easy-off" function for vehicle telematics - some kind of simple procedure which would remove a telematics module from the installation list and allow the module to be unplugged without triggering fault detection. This is possible on some cars using dealership tools to re-train (sometimes called "code") the configuration blobs in each control module to omit telematics, but it's not standardized and usually too difficult for a consumer to manage.
Also, how hard was it to find the section for removing the module, and how hard was removing the module in your case?
I have a Subaru, but still curious about yours.
I'm not going to go as far as to say it can't be exploited, but that is a significantly smaller risk surface.
I have not used Android Auto, but if it does auto pair Bluetooth, that would be a shame. I thought the whole point was that the car just provides a screen your phone can extend a display to, and no data ever leaves.
It’s especially frustrating with rental cars. But I don’t even trust my own personal car!
Check out GrapheneOS if you have yet to!
So.. It's okay if I record private conversation from high ranking states officials as long as I don't harm their reputation with it?
It's okay if I stole state intelligence as long as I don't harm my country with it?
This was a civil case. Civil cases tend to have more concrete harm requirements.
The claimed invasion of privacy is that a person with the diagnostic tools and physical access to your car can extract those logs.
Presenting this as "car manufacturers can steal your text and call logs" is disingenuous.
Don't get me wrong, it's clearly not a great thing for the car to be doing (especially in the context of rental cars for instance) but it isn't the catastrophe people are claiming.
The title and the conclusion are biased and of poor quality. It should be "car manufacturers didn't get fined for the way their old head units worked".
You might think why care if its your own car. But if you rent cars this can become an issue where if poorly implemented the next driver could access the information.
It is such an easy feature to implement and suppliers in Europe already do this due to GDPR. I remember working for an automotive supplier where we implemented this feature. The whole phonebook was actually downloaded onto the unit in an encrypted Database. The system would decrypt it on the fly as needed. When GDPR came around we had to implement a wipe feature that would allow the user to delete their profile which included that database.
I feel like GDPR for all its flaws had a positive impact in that it forced the supplier to actually care about this use case.
And especially not if you're forced to agree to use a specific feature.
But nobody really knows if car vendors really follow the laws. Facebook/Instagram seem to collect a lot of data anyways, and probably will just pay a huge fine in many years, when they get sentenced for it.
From what I understand the data the car acquires is not being sent anywhere. It just gets uploaded to the car and is used to speed up operations that would be slow if the car had to talk to the phone over Bluetooth when it needed the data.
The car vendor is not processing your data. They are selling you a device that processes your data. I'd have guessed then that you are the controller for this data processing and so you are the one responsible for GDPR compliance.
In the case of a rental car, I'd have guessed that the rental company is the controller, and their GDPR obligation would be to tell you that the car caches data if you pair your phone with it and for them to erase that data when you return the car.
