Removing the modem and GPS from my 2024 RAV4 hybrid

Posted by arkadiyt 18 hours ago

Removing the modem and GPS from my 2024 RAV4 hybrid(arkadiyt.com)

903 points | 467 comments

bitparadox 34 minutes ago|

I have a few year old Volkswagen. I'm security conscious and made sure to disable all the data collection I could find in the companion app, turn off remote access services, dig through the infotainment to turn off what I could, etc.

Last year I requested a Carfax on it, and one of the fields in the request was current mileage. I entered an estimate like 75000 miles. On form submission, that field failed validation with the red subtext along the lines of 'this is less than the last reported mileage of 75345, reported <5 or so days prior>'. Checking my odometer and looking at my past few days' trips, that was indeed accurate.

The car hadn't been to a shop or out of my possession in weeks, so I can only assume the telemetry was still dialing home and selling to third parties despite my best efforts to disable it.

Anecdotal and not unexpected in the grand scheme, but it still surprised me.

nurple 18 hours ago||

> Even after the modem is removed, if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota. However, if you use a wired USB connection then it does not do that (see the discussion here and elsewhere), so I exclusively use CarPlay via USB.

The problem with this is that both carplay and android auto capture their own vehicle telemetry. So even though the car is not able to use your phone as a general data pipe, Google and Apple still get access to this data when you're connected.

They are both very cagey with how they talk about this (or don't).

embedding-shape 17 hours ago||

And once you've gotten rid of Google and Apple, your telecom company tracks you, your CC payments help track you and even cameras in public do.

It's hard to not want to throw your hands in the air screaming "whatever" when almost everything you use in public is somehow used to track you either as you move around, or in the future.

dualvariable 16 hours ago|||

This is one of those things that can't ever be solved with individual solutions but needs to be solved through legislation and standards, and ideally a fundamental right to privacy (and a fundamental redefinition of what privacy means when it comes to corporate surveillance of individuals).

GJim 3 hours ago|||

Needless to say, cars in the UK/EU have no such privacy invading features without an explicit opt-in thanks to sensible data protection legislation; including the GDPR.

The FUD spouted on here by the scummy adtech industry about legislation to protect YOUR privacy is mind boggling. These are the people doing the digital equivalent of sniffing your underwear to work out what you had for breakfast.

(And before somebody shouts FUD about the UK/EU vehicle eCall 112 system, that certainly doesn't track you or seek to invade your privacy on any level!)

monegator 2 hours ago|||

>cars in the UK/EU have no such privacy invading features If you say so.

Maybe if you buy the car with cash, but if you finance it you are leasing from a company that has definetly accepted all the terms and conditions to capture and sell all the telemetry to various parties

>without an explicit opt-in

check out at a modern volvo/audi/whatever, they are making it so difficult to say no every single time the screen is powered on

GJim 2 hours ago||

> if you finance it you are leasing from a company that has definetly accepted all the terms and conditions to capture and sell all the telemetry to various parties

No it isn't. Stop spreading FUD.

It is illegal in the UK/EU to make provision of a service dependent on allowing your personal data to be sold to third parties. This is BASIC data protection law here. You should be embarrassed for not understanding this.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

> modern volvo/audi/whatever, they are making it so difficult to say no every single time the screen is powered on

More FUD.

The nagware is for "safety" features such as lane assist which must turn on every time by default (yes, this is a PITA). This has nothing whatsoever to do with data privacy requests.

sailfast 8 minutes ago|||

Sure, and Volkswagen’s diesel cars are totally clean and pass emissions tests as written.

Your trust in the law (EU law! Haha) to do the enforcing itself is nice, but history and lived experience tell me that these laws are going to be skirted if there’s money in it.

monegator 46 minutes ago||||

I'm in europe and I work with cars, pal.

nagware is absolutely not for safety features. Deny the terms and conditions and every time you start the car you have at least three screens you have to scroll and click buttons. It is a very recent feature, have seen it on models from january onwards.

BTW: You also want to deny that because if you agree you also agree to update the system at their will (many cases on the press of them fucking it up, bricking cars requiring ECU replacement. A couple of manufactures i won't mention fucked that up as badly as using two different ECU makes for the same car model, and sending the wrong binary and the bootloader happily accepting it. All without user approving the update beforehand. All happening in the background. Car stops at the sign, ECU reboots and dies.)

You also have constant nagware when you disable the tracking features in software.

GJim 28 minutes ago|||

A class action lawsuit in the making! Pal.

jona-f 57 minutes ago|||

> It is illegal in the UK/EU to make provision of a service dependent on allowing your personal data to be sold to third parties.

Nobody seems to care and this isn't enforced at all.

It is very hard to live in Germany without having a google account. Many services are only offered via phone-app that is only available through play-store. I'd have to use apks from questionable, untrusted third-party websites.

Good luck finding an employer that doesn't require you to have a microsoft account.

The EU is not the privacy paradise some make it seem to be. It's a corrupt, bureaucratic, exploitive nightmare with some splashes of democracy here and there.

Von der Leyen is the perfectly ridiculous representative, she left nothing but corruption, collusion and incompetence in her wake.

GJim 23 minutes ago||

> It is very hard to live in Germany without having a google account

Which in the EU/UK, is subject to data protection law; including compulsory opt-in for sharing personal data!

Granted, the scummy adtech industry push the law to the limit ("legitimate use"), meaning we need better regulation, not less.

> The EU is not the privacy paradise some make it seem to be

Nobody said anything about paradise, though considering the unrestrained nature of adtech in the USA, I certainly know under which laws I'd rather my (and others) personal data is kept.

tpm 1 hour ago||||

In addition to the eCall system, note there is also the mandatory OBFCM (On-board Fuel and/or Energy Consumption Monitoring Device), that data is then downloaded from the vehicles using OBD during checks.

The data is anonymized and you can opt out, but many people probably don't know it's collected in the first place.

M95D 3 hours ago||||

> (And before somebody shouts FUD about the UK/EU vehicle eCall 112 system, that certainly doesn't track you or seek to invade your privacy on any level!)

How do you know?

BTW, the checking all the opt-ins is usually the first thing the sales person does when selling a new car.

GJim 2 hours ago||

> How do you know?

And the FUD has started. Maybe try reading the law?

https://europa.eu/youreurope/citizens/travel/security-and-em...

DaSHacka 2 hours ago||

Because no company has ever broken the law before

GJim 2 hours ago||

What a ridiculous argument!

So what is the point in having laws then?

No doubt you believe any adtech request for personal data should be met by the subject promptly bending over and grabbing their ankles with both hands?

abc123abc123 1 hour ago||

Laws exist to keep the common man in check, and to punish government organizations and corporations _if_ they get caught. The original purpose is to keep voters meek and to stop them from overthrowing the politicians. Laws have very little to do with scaring corporations and nations.

golem14 3 hours ago|||

I'm tempted to say "oh you sweet summer child", because it seems just unbelievable that the statement is true (in the sense that the small print in rental cars and sales contracts doesn't allow it, ot it's done by law enforcement agencies surrepticiously).

But maybe it IS true. I know it's legally mandated.

GJim 2 hours ago||

> it seems just unbelievable that the statement is true

So do you think UK/EU vehicle manufactures are deliberately in mass breach of data privacy law... fully knowing the cost of a consumer backlash, fines and vehicle recall costs to fix any law breach?

Really?

It's genuinely amazing how many Americans on here (a tech news site!) are unaware of data privacy law and expectations outside their homeland.

sailfast 11 minutes ago|||

Yes.

Or, more succinctly - they are likely following the law but have figured out a way to avoid it as written using consumer opt-in and dark patterns.

You call it FUD, but this is hacker news and with overwhelming incentives it is not unreasonable to ask for verification that data isn’t being exfiltrated.

golem14 1 hour ago||||

I really do think there is a good chance that say MI5 or the BND or the DGSE flagrantly ignore the law to catch non-national evildoers, just as much as in the US. The temptation to do this 'in the name of security' is very high.

Of course, I can't or won't prove it.

And yes, I am _intimately_ familiar with the GDPR and other laws and regulations. The US also had (has) wiretapping laws that would have prevented snooping on Americans.

I'm not claiming the EU is no better than the US, it clearly has better intentions. But fundamentally, I think the EU will end up in the same place as the US sooner or later, simply because the same forces are at play: desire for security >> desire for privacy for most people if the rubber hits the road.

Here's some fun read for those who seek more info:

https://www.politico.eu/article/germany-privacy-watchdog-sid... https://www.bnd.bund.de/EN/Service/PrivacyPolicy/privacypoli... https://www.lexxion.eu/?newsletters_method=newsletter&id=477

jaapz 1 hour ago|||

> So do you think UK/EU vehicle manufactures are deliberately in mass breach of data privacy law... fully knowing the cost of a consumer backlash, fines and vehicle recall costs to fix any law breach?

They were also in mass breach of vehicle emission laws. The fact that there was some backlash (although people didn't really stop buying VAG cars), people got prosecuted, the company got fined, didn't really change their decisions while they were pumping out fraudulent cars.

Yes, we should have privacy laws like this in the EU, this is a good thing! But thinking that, when these laws are in place, all companies magically will follow them is naive. To them it's still a cost/benefit analysis, and history has shown short term benefit trumps many other things for these companies.

vladms 1 hour ago|||

> To them it's still a cost/benefit analysis, and history has shown short term benefit trumps many other things for these companies.

Doesn't that depend on the company though? Not all companies are focused in the same amount on short vs long term benefits.

There are costs of not following the regulation (example, did not check in detail: https://www.enforcementtracker.com/) and I do not hear (media, social network, etc.) anybody complaining about fines so I think it will just continue ad hopefully will change their opinion at some point.

GJim 1 hour ago|||

ONE company did it (not a mass of them), resulting in massive fines and prosecutions; they certainly aren't going to do it again!

I'd also suggest the backlash from breaches in data privacy would be much larger than from fiddling emissions tests (as evil as the latter was, it actually saved many customers money on a (more polluting) car with higher performance).

lucianbr 35 minutes ago||

https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal#O...

> After news broke out of Volkswagen cheating on diesel emissions, multiple other vehicle manufacturers got caught falsifying emissions data, as well as exceeding legal emission limits. This uncovered a greater industry-wide issue that goes far beyond only Volkswagen Group.

whamlastxmas 15 hours ago|||

[flagged]

throwway120385 13 hours ago|||

I guess we'll just sit on our hands and do nothing, then.

foresto 14 hours ago|||

> Government leaders will never give up their pipeline of knowing everything about everyone.

Then let us hire different leaders into government. Public servants, not overlords.

HenryBemis 14 hours ago|||

If you have noticed, every independent candidate almost never gets elected. Vast majority of those who say they will "change the country to the better" either never get elected or are ousted early on. And those who stay change their tune.

I fear that only blackmail-able people with the potential to win elections, get the support, so that they are beholden to someone who ultimately gives them the job (e.g. funding their campaign) and has to return the favor x10 when elected, so promises go out the window and new reality sets in.

mothballed 14 hours ago|||

Someone tried to create an entirely new country with minimal governance by dumping sand on a submerged reef until it became an island[]. Even then it was quickly co-opted by the nearing statist powers (Tonga) with the blessing of western powers.

So it's not just that the primary process will crush anyone who will seriously roll back government powers. They won't even let anyone peacefully create an entirely new fucking island to try and get away from the tyrants and do it while leaving everyone else alone and not messing with the powers that be.

[] https://en.wikipedia.org/wiki/Republic_of_Minerva

anonymars 13 hours ago||

Isn't that the libertarian paradox in a nutshell, the entire reason why "government" exists? Because in reality, the alternative is "might makes right" and a larger, stronger group will band together and steamroll the smaller and uncoordinated individuals?

mothballed 13 hours ago||

Government is might makes right, just with a nice name slapped on it. Minerva was minarchist, not anarchist, but for whatever reason they chose not to defend their country by force. Somaliland and the remains of Rojava come to mind as present-day ~minarchist governments that defended their territory by force and ~succeeded. The point being is these kind of changes won't be allowed by election or peacefully. The primaries stop the election process and the militaries stop the peaceful separation process.

America did have a period of relatively small government intervention at the beginning, but that took a war with Britain. It also had some periods of it during the pre-founding (some of 1600s Pennsylvania and Rhode Island while Britain was occupied elsewhere). Pennsylvania (before it was a state) in particular was basically straight up anarchist for I want to say, about 20 years.

margalabargala 8 hours ago|||

> but for whatever reason they chose not to defend their country by force

When forced off the reef, the founders went back to places like Australia, Manhattan, and London with considerable wealth. Pretty easy to see why that was preferable to possibly dying by firing on the armed forces of another country.

Somaliland and Rojava don't have that option.

PaulDavisThe1st 10 hours ago|||

> relatively small government intervention at the beginning,

Yes, the women, slaves, non-land-owners and native Americans all loved that phase! It was paradise on earth and the embodiment of the eternal liberty to which all (*) humans are entitled.

(*) your experience may vary, depending on your membership of various demographics. Some restrictions apply. Please see package for details.

mothballed 9 hours ago||

Thank god you mentioned that. You foiled my diabolical plan of introducing slavery as utopia, as clearly imposing slavery is a way to shrink government intervention. No mention of early USA is complete without damning any experiences drawn on it because muh racism/sexism. Nevermind that whittling down to even that point took a war with Britain, which was relatively more free than before when yet still slavery and Indian slaughter was still happening.

PaulDavisThe1st 8 hours ago||

Thank god you responded. You have effectively disarmed my diabolical plan of refuting the idea that early American history was some sort of libertarian paradise, by pointing out that I have used the old canard of slavery as if it, by itself, could invalidate the many good things that came from the early, limited form of government.

I have no option other than to lay down my intellectual tools before you and declare you the winner of this battle of the ages. I am humbled by my idiocy in even bringing up the fundamental economic engine of the early American republic, as if it actually mattered at all in the face of the noble, if perhaps a little selfish, goals of those proud young Americans.

mothballed 8 hours ago||

I would say relatively true of the southern colonies. New England, slavery import was banned rapidly, slavery itself banned fairly early (some states almost immediately) and it was arguably never a load bearing pillar. Virginia in particular and the southern colonies only avoided starvation by stumbling on tobacco.

I'd also note slavery was also influenced by how land distribution happened in the colonial era. Lands dispersed under more feudal models lent themselves more to slavery and indentured servitude. Lands that for various reasons that were rapidly sold were more likely to end in the hands of small holders without slaves or fewer slaves.

wahnfrieden 6 hours ago||

I've read Graeber/Wengrow. Any new recommendations?

wahnfrieden 6 hours ago|||

Hierarchical power conflicts with servitude

simplyluke 13 hours ago||||

> your CC payments help track

Not only that. Them and the point-of-sale vendors (aptly shortened PoS), sell that data. They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.

The websites (and even their retail locations) you buy from send your purchase data to meta and other advertisers directly via APIs so they can better track their marketing conversion rates. You can browse their APIs [1][2] to see what kind of data they like to get, but it tends to be every piece of identification they have on you. Rewards programs make this a much richer data set. You don't need to be a user of Google/Meta for them to build a marketing profile based on this. Google links your physical conversion from ads based on your maps data. Facebook does the same if you give them your location data. Many retailers attempt to use the bluetooth/wifi signals from your phone to track the same data even if you pay in cash [3].

There's no legal framework preventing this outside of the EU and California.

1: https://developers.facebook.com/documentation/ads-commerce/c... 2: https://developers.google.com/google-ads/api/docs/conversion... 3: https://www.nytimes.com/interactive/2019/06/14/opinion/bluet...

lesuorac 10 hours ago|||

> They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.

Yeah I think the big thing to push or talk about is that there is no such thing as "anonymized".

There's only such as a thing as "can only be identified as X many people". Like for a given dataset you can make any data point correlated to 1 of say 50 people. If somebody is anonymizing data and they don't provide a k-anonmizity [1] you should just assume it's 1:1 and effectively not anonmized.

[1]: https://en.wikipedia.org/wiki/K-anonymity

bamnet 9 hours ago||

K-Anonymity isn't the only technique. Differential Privacy is arguably more robust.

orthecreedence 6 hours ago||||

> They tend to attempt to do this anonymized. How successful they are in anonymizing that is very much so up for debate.

    let anon_id = md5(SSN);

like_any_other 9 hours ago|||

In the good old days, if you were found to be informing on your neighbors to hostile powers, you were liable to find yourself in a mass grave when the political winds shifted, or even sooner.

But now it's so convenient and discreet and common, we think nothing of it. Plus, Google and Apple and Facebook and their partners and everyone they sell data to are our friends, not enemies :)

abc123abc123 1 hour ago||||

True, but we must not let the perfect be the enemy of the good. I don't own a smartphone, so neither google nor apple track anything about me that way. I leave my dumbphone at home when I'm out and about, so it basically works like a traditional landline phone, again, no data there (except for phone calls and textmessages of course).

My car is old, so no gps/trackers there, but this is troubling of course. I think that if/when I buy a new one, it has to be either some vintage car, or I have to find a workshop who can rip out all the tracking.

CC payments can be mitigated by paying cash, when available. But yes, CC and bank are a concern and so is CCTV.

brikym 10 hours ago||||

A friend used to work in ad tech years ago. The telecoms sell real time location data to digital billboard companies which are targeted at whoever is nearby. It's basically minority report. I can definitely imagine they're now using visual processing and face recognition on the billboards.

everdrive 15 hours ago||||

Nonetheless I'll still try to maintain what privacy I can.

B1FF_PSUVM 10 hours ago||

You do you, John C. Calhoun of Minerva Road, Springfield, CO.

An agent will be shortly with you to assist in that endeavor.

kQq9oHeAz6wLLS 9 hours ago||

> An agent will be shortly with you to assist in that endeavor.

In some parts of the world that's a death sentence for the target. In other parts, it's one for the agent.

B1FF_PSUVM 8 hours ago||

Oh, please. We're not cavemen here. A little coaching on internet best practices, a dash of psychological assistance, perhaps a girl scout cookie or two ...

drnick1 14 hours ago||||

> And once you've gotten rid of Google and Apple, your telecom company tracks you, your CC payments help track you and even cameras in public do.

Maybe, but what happens without the mod described is that Google and Apple track you in addition to the telecom company. That, of course, assumes that you carry a cell phone tied to your identity. Some people refuse to carry cell phones altogether because of the privacy implications, or use them mostly in airplane mode with an anonymous SIM for backup.

port11 4 hours ago||||

It’s still worth minimising how many companies get your data, and minimising the data itself. I’m not sure what data Apple and Google get specifically out of their car thingies, but it’s very easy to avoid using their car thingie.

jazzyjackson 7 hours ago||||

I use a googleless flip phone and just don't do anything important on it, and leave it behind often. We didn't always carry tracking devices with us, you can choose not to.

You can also buy an older car that doesn't come with a SIM card installed.

abc123abc123 1 hour ago||

This is the way! But note that telcos are working hard to ban dumbphones from their networks. There is a clear push to force people to dump dumbphones and accept the digital surveillane device.

Should that happen, I will move to a VoIP provider. Not perfect, but better than a smartphone.

asdff 12 hours ago||||

At least you can shut your cellphone off and pay in cash.

asdefghyk 12 hours ago||||

RE .... company tracks you ..... [ somewhat off topis ]

Did you know ... in many countries government tracks car number plates and the data is stored for many years.

zekyl314 16 hours ago||||

Exactly, and more and more places are removing cash as a payment option :(

razakel 15 hours ago||

Cash handling isn't free, and for smaller businesses might actually end up being more expensive than accepting electronic payments.

bigfishrunning 15 hours ago|||

If your margins are so razor thin that the cost of handling cash is significant, you need to raise your prices. Cash is legal tender -- not accepting it for in-person transactions is really shitty (maybe shouldn't be allowed?)

9x39 13 hours ago|||

> you need to raise your prices.

And if the competitor doesn't? Ouch.

I think there should be a "digital equivalency act" or something to hamper full digital capture, but my feelings aside, there's a few powers that dislike cash:

Free people like cash, but businesses with low-skill/low-trust workers dislike cash because despite the CC fees, there is less theft, less overhead with cash reconciliation, cameras to watch cash with, less safes to manage, less cash pickup services.

The IRS hates it because there is a cash industry (as there should be, imo, but I'm injecting too much opinion already) that doesn't report earnings. I personally know barbers, housecleaners, handymen that admit to reporting no or few earnings, and synthesize a living off cash and benefits. If you stop paying taxes, this actually works pretty well compared to a low-end tax-paying job. My housecleaner takes overseas vacations (like, thrifty ones in hostels) 2-3 times a year this way.

Banks (arguably the IRS again, deputizing them with KYC) squint at you when you deposit or withdraw significant cash - ask any weed industry participants. Untrackable currency is a natural catch-all for people they don't want to bank with, so it's just friction and headache naturally.

leothecool 15 hours ago||||

You can't even get coins counted for free at retail banks anymore. Cash handling is too expensive even for the place that ostensibly provides cash handling services to the general public.

speed_spread 14 hours ago||

Just make all your prices round up to the nearest dollar bill after tax. Eliminate coins at the source.

razakel 14 hours ago||||

"Legal tender" only means it must be accepted to settle a debt.

rdiddly 14 hours ago||

Walking out of the store with groceries generates a debt, no?

phainopepla2 13 hours ago|||

I believe that's more likely to generate a criminal charge

rdiddly 8 hours ago|||

You're being more literal than I was. My point was that "a debt" is a broader concept than the GP comment acknowledges. A debt is incurred any time you propose or agree to buy something. And legal tender is the way you settle it.

dotancohen 13 hours ago|||

Then how about paying after ordering and eating a meal?

pixl97 12 hours ago||

Depends.

If there was a posted notice that no cash is accepted it's unlikely you'll get a criminal charge, but you can get civilly sued. Most places will just accept the cash then put up a picture saying "If this asshole shows up again, trespass him"

davchana 7 hours ago|||

No, eating food & then paying is a debt. After the services have been rendered. If seller can pull back the items, never provided the service, no debt.

fragmede 15 hours ago||||

You can't go into a store with a gun and demand the cash out of the register if there is no cash.

skrtskrt 13 hours ago|||

The actual cost is shrinkage from general human accounting mistakes and all the extra time it takes to manage.

I worked at the gym in college and we sold like one item a day and it was still a whole bunch of work and pain to keep up on the cash counts correct.

I definitely believe that all businesses should take cash as much as is reasonable, but logistically it is understandable why some choose not to

bigfishrunning 14 hours ago|||

You shouldn't do that anyway; also, you can't skim a credit card I'm not using/carrying. There are crime arguments on both sides.

whamlastxmas 15 hours ago|||

It's not about "just raise prices", it's about some industries (e.g. upstart restaurants) that already have massive failure rates and have hyper competition. Even airlines don't make money on flights, and instead only on selling credits cards or other perks.

If your operating costs are some percentage higher for accepting cash versus the coffee shop across the street that doesn't, you're more likely to fail.

bigfishrunning 15 hours ago|||

If everyone has to accept cash, then everyone has the same costs and the point is moot. At any rate, courts are required to accept legal tender, and I think that requirement ought to extend to businesses as well.

angoragoats 13 hours ago||

> At any rate, courts are required to accept legal tender

Assuming you’re talking about the US here: there is no such requirement, at least not at the federal level. Individual states may have their own laws, but see for example this notice [0] from a Texas federal court that they will no longer accept cash as of May 21, 2021.

[0] https://www.txnb.uscourts.gov/news/notice-court-will-no-long...

underlipton 15 hours ago|||

The real problem for those businesses is way upstream of payment processing costs, namely in the cost of business loans, the general poverty of the American consumer, and (for brick-and-mortars) zoning. The latter is a matter of getting municipalities to relax restrictions put in place mid-century literally to support segregation, and the former two are a matter of forcing the wealthy to eat the costs of their poor decisions from the last few decades, rather than continuing to allow them to socialize related losses through avenues like scandalously low labor pay vis a vis productivity and various investment/asset market scams (which, through housing and passive retirement investment, they've roped in Boomers and older Gen-Xers).

If you wish to make an apple pie shop from scratch, you must first invent an economy that isn't hamstrung by legacy obligations from ventures that people who are long-dead somehow were allowed to finance with your paycheck. (Somewhere, a middle-aged nepo-baby is clutching her pearls at the thought, and I just think we should cherish, rather than shy from, the opportunity to throw her and her siblings under the bus.)

Dylan16807 10 hours ago|||

Handling cash isn't free, but $0.30 + 3% or whatever is also a significant distance from free.

kyleblarson 8 hours ago||||

1987 4runner, no phone, use cash.

King-Aaron 7 hours ago||

I have heard whispers at times that people who operate 'off grid' like this end up being viewed heavily as persons of interest.

Anecdotally via friends in law enforcement.

Henchman21 10 hours ago||||

Perhaps it's time to give up some convenience for old ways, eh?

nullsanity 9 hours ago|||

[dead]

rkagerer 15 hours ago|||

Is there any information about precisely what vehicle telemetry they capture and retain?

I know the laws are far from perfect, but isn't there some legislation compelling them to disclose what they collect?

What specifically would be the most relevant law/regulation? (If it varies by geography, pick any major market, eg. California, that is big enough to impact their engineering design and the content of published material). You mentioned they're cagey, and my aim is to examine if there's a gap between what they're supposed to disclose and what they do, which could be rectified by litigation. Eg. If they just say "vehicle telemetry" that doesn't tell you much, and I'd happily contribute to an EFF effort to get them to elaborate.

Alternatively someone who works close to this code could provide some examples of what a "typical" smartphone OS platform collects these days.

pbhjpbhj 13 hours ago|||

GDPR should work to get a copy of the data, also it would only be allowed to be collected with explicit permission -- I'm assuming that data about your car is PII about you.

KennyBlanken 13 hours ago|||

Generally speaking the author seems to wave a bunch of conspiracies around without the evidence to support it, or frankly, much technical knowledge.

The author seems unaware that in iOS you can uncheck nearly every single location usage the OS and Apple Apps themselves collect.

On iOS not only can you shut off things like traffic reporting while using Maps and cellular/WiFI/Bluetooth data collection...unlike Google, Apple will let you use those services without requiring you contribute to them.

mmooss 12 hours ago||

> the author seems to wave a bunch of conspiracies around without the evidence to support it

The author provides links at the top to credible reporting on relatively well-known privacy concerns.

happyopossum 9 hours ago|||

> They are both very cagey with how they talk about this (or don't).

No, not really - at least not apple. They are very clear on what CarPlay’s privacy stance is, and they’ve got privacy white papers on pretty much everything:

Eg. https://www.apple.com/privacy/docs/Location_Services_White_P...

Again, at least on the apple front this comes off as a ton of “stated without evidence “

like_any_other 9 hours ago||

What does a user see when enabling CarPlay on their iPhone, and not browsing apple.com for random .pdfs?

drnick1 17 hours ago|||

You need GrapheneOS to sever the link to Google. You can also deny specify apps and services Internet access.

MSFT_Edging 15 hours ago|||

Is android auto still available with Graphene? AA is genuinely one of the few life-changing features introduced in the last decade that I'd prefer not to go without.

throw_a_grenade 13 minutes ago|||

Mostly works, some stuff doesn't. The worst thing that doesn't work is alternative maps (e.g. OsmAnd).

subscribed 15 hours ago|||

Yep and works flawlessly via USB for me. That was a deal breaker for me for the longest time too.

Allowing it to connect over Bluetooth requires granting AA plenty of additional permissions which I didn't want to do (but hey, on GOS at least you can muzzle that thing).

wing-_-nuts 13 hours ago|||

I like the idea of graphene, but I worry my banking / brokerage apps wouldn't work anymore and that'd be a deal breaker

drnick1 13 hours ago||

The Graphene community maintains a list of compatible banking apps.

Another possibility is to keep an old/cheap, stock Android phone at home with WiFi only for apps like this.

monkpit 7 hours ago||

Doesn’t that defeat the point of using an app at all? Use a computer at that point.

Angostura 16 hours ago|||

Standard Carplay is essentially an additional screen for your phone - your existiing privacy settings carry across. What's your concern?

vk6flab 16 hours ago||

Unfortunately that's not quite true, since the "app screen" on the media display during Android Auto use has an additional "Toyota" icon that AFAIK isn't coming from my phone.

What's more concerning is that it's entirely unclear exactly what information is shared over the Android Auto link, in my case, over Bluetooth.

tadfisher 15 hours ago|||

There's a protobuf-based API for two-way communication between the Android Auto app and the head unit [0]. It depends on what the headunit supports, but this includes data such as GPS location, steering wheel button activation, accelerometer data, parking brake activation, gear selection, touch screen input, dimmer switch position, odometer, and much more.

A lot of this has obvious use within the AA interface; for example, the parking brake position is used to prevent scrolling too far through lists, and the car's GPS is usually much more accurate than the phone's and better on the phone battery.

0: https://github.com/f1xpl/aasdk/tree/development/aasdk_proto (pretty old reverse-engineering effort)

hamburglar 15 hours ago||

One of the things I notice CarPlay has access to is the fan speed. In one of my vehicles, when I say “hey siri” it turns the HVAC fan down so it can hear me better. I’ve always wondered if the interface is the phone telling the car “hey make things quieter” or if it’s explicitly turning the fan down. It’s also interesting that this only happens in one of my cars. I assume it’s because the other car is a higher end vehicle and has a quieter fan.

dmitrygr 15 hours ago||

In GM cars (as observed in my last few), the logic is in the head unit: "mic on -> hvac lower", while "hotword detect" uses a different "mic on" method that does not

EDIT, previously "does not" above said "doe snot", which explains the reply below

addaon 14 hours ago||

I'm sure it's not great, but deer mucus is a bit of an extreme description.

tadfisher 14 hours ago|||

I appreciate this comment, FWIW.

dmitrygr 13 hours ago|||

I never learned to properly touch type, i have my own method, somehow, which uses two fingers of the left hand and three of the right. Spacebar being pressed too soon or too late is, sadly, common :(

Dylan16807 10 hours ago||

Proper touch typing doesn't fix that issue.

adestefan 15 hours ago|||

That icon is a "close Carplay/Auto" button. My Subaru has a Subaru button; my wife's Mazda has a Mazda button.

gruez 16 hours ago|||

>if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota

Source? Can bluetooth devices do that without the user's knowledge?

MRPockets 16 hours ago||

I assume that the original article statement is referring to connecting to CarPlay/Android Auto wirelessly, not simply connecting via Bluetooth for a speaker-type setup. But I do not know that this is the case. Certainly, I would assume all privacy bets are off if you connect CarPlay/Android Auto in any manner.

jklinger410 16 hours ago|||

> then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota

How?

colordrops 16 hours ago||

They are probably confusing google auto with bluetooth.

brg1007 15 hours ago||

On Android there is an option called "Bluetooth tethering - Share phone's internet connection via Bluetooth" . If it is On and you are connected to the car's bluetooth it will have internet access via your phone.

kccqzy 11 hours ago|||

That's Bluetooth PAN. I would be very surprised that a car will implement this profile.

nullify88 3 hours ago||

I have a 2025 Renault 4 etech and I frequently enable bluetooth thethering so I can access Spotify, HBO etc via the in car entertainment system (It runs a flavour of Android called OpenR Link) , not via android auto. Though I frequently need to enable the bluetooth tethering setting on the phone before the profile can be activated via the cars paired devices menu (where you can select other profiles such as Audio, calling, etc)

While the car has a sim card already, I can't use it for general purpose apps without a subscription. Only updates, remote control and I suppose telemetry.

I usually opt for choosing a bluetooth tether instead of wifi since I already establish a connection for calls, or music / audio books.

It isn't hard to imagine Android being able to transmit vehicle telemetry via the same means.

jklinger410 15 hours ago|||

I'm suspicious that the car's system can do this. I don't think we should be assuming your car can tether internet through bluetooth until we see someone snoop Toyota-bound traffic being routed through their phone.

Projectiboga 11 hours ago|||

A 12v bluetooth to FM transmitter can at least give you tunes and a speaker phone feature.

arkadiyt 17 hours ago|||

In a perfect world they wouldn't collect it either, but I'd rather Apple have it than the car manufacturer (or rather, only Apple vs both Apple and the car manufacturer)

zackify 17 hours ago|||

I use android auto through grapheneos thankfully! this is crazy!

b00ty4breakfast 17 hours ago|||

this sounds like donning a TNT vest to diffuse a bomb

andrepd 17 hours ago|||

Can you clarify? Does it feed it bullshit data? Because android auto expects car telemetry data which it streams to Google's servers. Which is a big no-no for me for obvious reasons.

piaste 17 hours ago||

It doesn't stop Android Auto from doing whatever with the car data, but it's sandboxed to have no more default privileges than a regular app, so it can be denied access to your phone's data by default (apps, contacts, etc.). Wireless AA will only work if you grant it extra privileges; wired AA does not need them.

You can also "firewall" AA via something like TrackerControl, this would let you block connections to eg. Google Analytics servers without denying network access altogether (which would likely cause AA to stop working). I've only used AA with short-term rentals so I didn't spend too much time exploring these options.

downloadram 1 hour ago|||

tracker control will be itself blocked by android auto, with a stonewall error DISABLE VPN TO USE ANDROID AUTO

not sure if this was caused by an OS update or an AA update because im certain it used to work fine

(not graphene, but friends otherwise stock samsung android)

andrepd 16 hours ago|||

Fair enough. Streaming my location and an OBD dump to Google whenever I'm driving is a non-starter for me, so I'll stick with the aux cord!

everdrive 17 hours ago|||

What about if it's just paired as an audio device rather than through an app?

embedding-shape 17 hours ago||

Don't get CarPlay/Android Auto that way though, so no navigation/maps for example.

everdrive 16 hours ago|||

Sure -- I'm not asking a general question, but thinking about my wife's phone, which is paired as an audio device. It sounds like we're probably in good shape.

Jblx2 15 hours ago|||

Are there any cars that support CarPlay/Android Auto that don't have built-in navigation/maps?

embedding-shape 15 hours ago|||

AFAIK, every single one of those "built-in navigation/maps" either require the car itself is internet connected (with its own modem), or that you every year get a SD card with map updates to stick into the car.

I guess it's fine in an emergency, but I wouldn't want to use it day-by-day, the live traffic/road closure information in my case ends up saving us tons of time over the year.

Jblx2 12 hours ago||

It is also OK if you only use GPS 3 times per year.

grokx 15 hours ago||||

Mine is from 2013. There is no longer map updates for the built in nav system.

So I bought an Android auto / Car play module that integrates with the car touch screen. Now I have up to date maps and navigation for ever. :)

bigfishrunning 15 hours ago||||

My 2019 Subaru legacy supports auto and does not have built in navigation. The aftermarket dashboard display in my 2011 Ford ranger also supports android auto but has no built in GPS.

hoistbypetard 15 hours ago||||

Mine (a US 2017 subaru impreza) supports both and doesn't have built-in navigation/maps.

vel0city 15 hours ago|||

Yes. I can't remember which cars (some base-model Hyundais I think) but I know I've rented a few that did have Android Auto but did not have any navigation included.

internet2000 14 hours ago|||

I trust Apple more than I trust Toyota.

sneak 14 hours ago||

You shouldn’t. Apple preserves backdoors in iCloud encryption to enable warrantless government surveillance. They have no other option.

willis936 13 hours ago||

It's weird to hang up on this specific item because they do actually offer an E2EE icloud option. Lose your key: lose your data.

https://support.apple.com/en-us/108756

sneak 12 hours ago||

Nobody has it on, and unless BOTH sides are using it, your iMessage conversations are all readable by Apple, because they are backed up twice - one for each end.

This option is also disabled in the UK - an intentionally preserved backdoor for government access.

https://support.apple.com/en-gb/122234

willis936 9 hours ago||

Okay fine but I use it and so does everyone in my immediate family and we're not in the UK. So... you're wrong.

phony-account 14 hours ago|||

> The problem with this is that both carplay and android auto capture their own vehicle telemetry. So even though the car is not able to use your phone as a general data pipe, Google and Apple still get access to this data when you're connected.

Do you have evidence or a citation for this? Or is it just the sort of statement that’s made in the pretty certain expectation of upvotes on HN?

platevoltage 9 hours ago||

I would have liked to have seen this citation too instead of seeing you get downvoted.

dyauspitr 10 hours ago|||

Yeah, but at least for now they don’t have the power to remotely disable my car or jack up my insurance prices and I trust Apple 1000% more than any of the other random car companies do not sell my data.

nullc 15 hours ago|||

> then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota [...] so I exclusively use CarPlay via USB.

I would be concerned that a passenger connecting their phone to it while I was driving.

In other cars I've been successful picking up the relevant modules for peanuts from surplus/scrap then just desoldering the RF-active components (like bt radios, etc) and swapping them in. YMMV but if it doesn't work you're just out the cost of a junk part.

Even if some radio feature is benign its existence means that its hard to be confident that there isn't some other telemetry feature you missed. With no connectivity at all you don't need to worry that you missed something because you can monitor the car with a spectrum analyzer and observe its never transmitting.

Unfortunately in some newer cars you can't swap any modules without a dealer tool to pair the module to the car, presumably in a bid to prevent third parties from fixing the car (presumably preventing people from lobotomizing their surveillance isn't on their radar yet).

downrightmike 17 hours ago||

They are cagey because they get nearly $100k upfront with crazy interest rates, and then they make a ton of money through their spyware.

pfortuny 17 hours ago||

Honest question: what do you mean?

downrightmike 17 hours ago||

You pay inflated prices for the car and then they still steal and sell your data. This isn't hard to understand, same thing smart TV mfg do.

Jblx2 16 hours ago|||

$100k is in Canadian dollars? I just added almost every accessory/package and option to the the 2026 GR Sport Plug-in Hybrid RAV4, and it came out to $55,821. If there were options that were nearly identical, I only added the most expensive one. So I only added one hammock ($340) and one of the Pelican Dayventure Backpack Cooler ($301). This includes the dog first-aid kit, and the human first-aid kit. Maybe all the options will come through this link:

https://www.toyota.com/configurator/build/step/summary/year/...

...maybe there is a lot of dealer markup in your area?

epicide 17 hours ago|||

I think you mean "subsidized" instead of "inflated".

Rooster61 17 hours ago|||

No, they meant inflated. Cars are quite expensive right now, and dealers are notorious for raking in cash through financing. If they were subsidized, prices would be lower to increase user base, as in the aforementioned dynamic present in the current smart TV market.

I think the inital point was that car manufacturers/dealers are double dipping through initial cost/interest AND data harvesting.

alext5 17 hours ago|||

Both an high end tv or a car are expensive items where the manufacturer shouldn’t be making additional income on your personal data.

A free 55 inch tv supported by ads would be subsidized. A big ticket item price likely does not change even if it intrudes on your privacy and the manufacturer makes additional income on your data. In that sense it’s not subsidized it’s just greedy business practices.

funimpoded 14 hours ago||

I haven't had any insight into the industry lately, but did work for a company in that space several years ago.

Most (all?) ordinary TVs, plus things like Roku streaming devices, are sold essentially at-cost. The profit comes from ads and information-brokering stuff. This makes it basically impossible to break into the market without doing the same thing.

alext5 11 hours ago||

What you describe is a business decision.

Different products exist at different price points to cater to different customers.

If you want to sell a subsidized product with the implication that there will be ads, that’s one business strategy, but to say that it’s not viable to have a higher end product that will not sell the user data because it’s not commercially viable is something I’ll have disagree with.

Computer monitors with no smart features wouldn’t viable if that was the case.

funimpoded 11 hours ago||

It’s a business decision, but one of the options won’t move enough units to keep Wal-Mart and Target and Costco and Best Buy using shelf space for your product, and the other might.

codezero 9 hours ago||

Does anyone have any details on this claim?

  Important: Even after the modem is removed, if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota. However, if you use a wired USB connection then it does not do that (see the discussion here and elsewhere), so I exclusively use CarPlay via USB. I wish I had a way to completely disable the car’s Bluetooth functionality, but it’s deeply integrated into the head unit.

How can data via Bluetooth be routed to an active internet connection? I assume this would only work if you have the manufacturer's car application installed on your phone.

Following the thread linked to, the only thing I can find is very unsubstantiated; https://www.rav4world.com/threads/2019-rav4-dcm-deactivate-p... :

  One caveat, if you use bluetooth to connect your phone to the car DCM will use your phone to connect to the mother ship and presumably send your data. I only use my iPhone cable to connect to the car which does not have this effect.

This sounds like pure speculation, and I would love to hear if there is any information that can substantiate what they are claiming.

phire 7 hours ago||

Yeah, I'm a little suspicious about that claim.

Bluetooth tethering is a thing, actually predates wifi tethering. Though it's not enabled unless you enable Personal Hotspot in your phone settings (and Android requires it to be enabled separately).

CarPlay complicates things, as it only uses bluetooth to pair, then it switches to using a wifi network (as bluetooth doesn't have anywhere near enough bandwidth). Maybe Apple automatically shares internet over that carplay connection?

I have no doubt that the car will use the internet connection if one is exposed, I just doubt it will be exposed automatically.

ruszki 3 hours ago|||

My iPhone automatically shares the internet without enabling hotspot with my Toyota via Bluetooth. It happens automatically. I just start the car, and it happens. And CarPlay is not involved, since there is no such thing in my car.

trinsic2 6 hours ago|||

One thing I notice is that it doesn't appear to upload contacts from your phone in usb mode. I haven't confirmed this.

yonatan8070 6 hours ago||

Bluetooth tethering is a thing, and I believe is enabled by default on Android, maybe it's using that?

For me on Android 16, the setting is in Network & internet > Hotspot & tethering > Bluetooth tethering

lucisferre 15 hours ago||

I have the same car and want to do this, but not for the reasons the author noted but because the GPS unit in the car is broken when paired with Carplay and has the wrong compass heading causing navigation to be completely useless.

I have reported this to Toyota multiple times with videos detailing the problem and they have denied the problem and ultimately when faced with the evidence simply refused to fix it.

I've been a big fan of Toyota's Production System and their management culture, but this experience has really diminished the brand for me. I realize these problems exist with all cars today. The pattern seems to be to foist low-quality hardware and software on their customers and take no responsibility for the results. Software bugs aren't what they consider a "typical car problem" so they simply don't fix them.

maxwells-daemon 15 hours ago||

I have exactly the same problem in my (latest-model) Honda Civic / Android Auto! I thought I was going crazy, I'm glad to hear someone else has the same problem.

The only fix I've found is to disconnect the phone and use its map standalone, just sending audio over Bluetooth. Maybe it's possible to get Android Auto or Carplay to reject GPS data from the car? I don't know...

kioleanu 2 hours ago||

I had the same problem with my Skoda, but it was fixed under warranty, albeit it took 7 months for them to do it, although they've acknowledged it from day one.

I use Apple CarPlay and one thing that consistently worked was starting the navigation on the phone before it connected to the car.

Otherwise, the fix is relatively simple and cheap: the ECU has to be replaced, it doesn't cost too much, but it's pretty labour intensive.

KennyBlanken 14 hours ago|||

Stop "reporting this to them multiple times" and sue them.

This is exactly why the civil legal system exists.

I promise you a consumer rights attorney will be interested in going after Toyota if you have clear evidence of it.

Or you could take it to an independent mechanic. It's likely just a bad connection to the "sharkfin".

> I realize these problems exist with all cars today.

Nah. It really doesn't, not to the same degree. Consumer Reports has demonstrated this handily for many, many years.

bdamm 15 hours ago|||

Some brands take software very seriously. This isn't an "entire industry" problem.

My experience is pretty small; I've owned the same Tesla Model 3 LR for the last 6.5 years, and the software has been pretty much solid the entire time. There was briefly a problem with echos when I called land lines using the bluetooth and my iPhone, but that problem eventually went away - not clear if it was because the iPhone changed, the software was updated, or perhaps the particular landline I was calling got an upgraded CO, but for a car that's a pretty good track record. There were some sensor glitches but they got fixed.

I've test driven other cars. Lucid Air - tons of weird glitches. Rivian - almost as good as the Tesla, but laggy UI on a brand new car. My Tesla is almost seven years old and still smooth as the day it was new! How do they do it?

Compass heading specifically does seem to be unusually challenging. Does anyone else recall the bizarre "Google Maps on iPhone is 90 deg off" problem? Totally strange.

mft_ 2 hours ago|||

I had an M3LR during 2021/22 as a company car and during that time they “refreshed” the UI completely which made it objectively worse as a means of interacting with your car (i.e. more taps/levels/menus to get the same simple things done).

Aside from that, it was always pretty solid and IMO better than the typical legacy manufacturer offering.

cheema33 15 hours ago||||

As a fellow Tesla Model 3 LR owner, I can confirm that this has been my experience as well. I bought mine in 2008. So nearly 8 years old and still going strong.

natch 8 hours ago||

You mean in 2018 maybe?

selcuka 5 hours ago||

The year is correct. They omitted to mention that it was a Tesla DeLorean.

NewsaHackO 15 hours ago||||

Yeah, this is similar to what I hear about Tesla's everywhere. While some members of the company leadership can be polarizing, the product itself seems very solid. Have been saving up for my first "good" car since starting my end-career job, really want to get a Tesla, but wish there was a hybrid option due to charger anxiety. Otherwise, would get one already.

dreamcompiler 8 hours ago|||

> charger anxiety

I've done many USA cross-country trips in a Tesla. Chargers are a non-issue if you stick to interstate highways. I often don't, which means I have to do some advance planning. I find that fun. Others might not.

But if I were in the market for an EV today I wouldn't buy a Tesla. It's a great car but until the Musk family is no longer part of the company I won't buy another one or recommend them to others.

UltraSane 14 hours ago|||

"some members of the company leadership can be polarizing" What a cowardly way to say "make multiple nazi salutes"

KennyBlanken 13 hours ago||

and has repeatedly made racist statements

and amplified racially bigoted conspiracy theories

and likes eugenics

and runs companies which have set a record for the highest number of complaints about racial discrimination and bigotry in its workplaces

and bought an entire social media platform solely so he and people with his ideologies could spew bigotry without having their accounts deleted

and, uh, came from a very wealthy white family that lived in one of the most racially oppressive countries on the planet during his youth

UltraSane 10 hours ago||

and seems intent on recreating apartheid in the US.

drnick1 14 hours ago||||

> Some brands take software very seriously. This isn't an "entire industry" problem.

This does not change the fact that Tesla is shamelessly spying on you. In fact, Tesla takes the software so seriously that it can probably fully remotely control your car. This is not something that I would want, and, if I were to be gifted a Tesla, the first thing that I would do is unplugging the cellular modem. If the car becomes unusable because of this, I would get rid of it.

KennyBlanken 13 hours ago||

All you need to do is convince your Tesla that it's in a constant state of having just crashed, and the poof, nobody will ever see your data!

Brian_K_White 15 hours ago||||

Tesla takes software very seriously, but for their goals not yours.

bdamm 10 hours ago||

This is just fearmongering trope. You can imagine whatever you like, but there's no evidence that they're anything other than a car and technology company that wants to sell lots of its product.

p_j_w 8 hours ago||

Their employees were caught viewing and sharing nude photos of their customers on slack.

KennyBlanken 13 hours ago|||

> Some brands take software very seriously.

> Tesla

It's really hard to take this claim seriously about a car company that programs its self-driving system to disengage if it detects what it thinks is a likely crash, so said company can then tell investigators, regulators, juries, and the public that "the car wasn't in self-driving mode when it crashed." "I'm not touching her, Mom. THE STICK is touching her!"

...and touts itself as having the most advanced driver assistance and self-driving capabilities, yet has the highest crash rate of any brand? Beating out Mustang and Imprezza WRX STi owners is truly an accomplishment, though.

...and (still?) hasn't fixed its issues with "phantom braking" that have caused multi-car pileups

...and has self-driving software documented as being so bad it will randomly swerve at cyclists, steer at light poles while turning, and swerve at crowds of pedestrians on a street corner waiting for the light? Which after years of refinement drives about as well as a highly distracted teenager who just got their learner's permit?

Yeah, taking software "very seriously."

bdamm 10 hours ago||

We were talking about the fundamental experience of driving the car. If you want to pick at the features that the Toyota can't have, then sure, but you might as well complain about it not being able to fly.

My personal experience of the FSD function is that it works as its supposed to; it handles the mundane tasks of driving while I look around, and it's easy for me to interject when I feel I need to, which is almost never. That's what I wanted and that's what they delivered. It was not so good earlier, yes including phantom braking, but it's very good now.

babypuncher 14 hours ago|||

I don't know about internet, but it actually works the other way for GPS; Carplay/Android Auto relay the car's GPS data to your phone, because that is usually more accurate and it means your phone doesn't have to burn battery constantly polling its own GPS.

giancarlostoro 14 hours ago||

> I have reported this to Toyota multiple times with videos detailing the problem and they have denied the problem and ultimately when faced with the evidence simply refused to fix it.

I don't work for Toyota, but I do wonder, who exactly within Toyota have you contacted? Maybe you're reaching people who have no idea how to reach out to a real engineer within Toyota?

bdamm 10 hours ago||

Resolving basic usability issues shouldn't require infiltrating the company.

everdrive 17 hours ago||

The 2024 Ford Maverick has a single fuse for the telematics unit that you can remove without throwing a code or an error. No idea if this remained true after the 2025-2026 refresh, but worth knowing.

https://www.mavericktruckclub.com/forum/threads/telematics-f...

xattt 17 hours ago||

Kias have a “Massachusetts mode” flag hidden behind a service menu (that needs a dealer code) that disables telematics at the owner’s request. However, the service menu pin also has timeout protection that will inject a waiting period between retries so there is no guessing.

I don’t think there’s convincing my dealer to get into the service menu and disabling it.

I would presume that other manufacturers might have this as well.

copper-float 2 hours ago|||

I was able to enter dealer mode on my 2023 Kia using this tutorial. https://youtu.be/Q2AEhGYnOaA

It let me disable telematics, and Kia support confirmed that my car was flagged as a "Massachusetts variant" even though it wasn't purchased in MA.

ok_dad 16 hours ago||||

Give one of the mechanics $500 and I bet they’ll accidentally drop the password on the floor of the car as they get out after moving it inside to change the oil.

s3p 16 hours ago|||

Or someone get access to 5.5 cyber or mythos and brute force their way in

cucumber3732842 13 hours ago|||

I bet if you can speak to the mechanic without the service advisor supervising the innteraction $100 would do it.

ok_dad 12 hours ago||

Yea but it’s worth at least $500 to me so I’d give the guy more, personally. $100 is a nice dinner out, $500 might help pay a bill.

bell-cot 15 hours ago||||

> I don't think there's convincing my dealer...

How far do you live from Massachusetts, and how do your feel about driving vacations?

formerly_proven 12 hours ago||||

> I would presume that other manufacturers might have this as well.

On newer vdubs there’s both a “location services” and a “offline mode” toggle in the infotainment, though this only turns the infotainment SIM off. Obviously this also disables remotely controlling the car using the app.

And the secondary eCall SIM cannot be disabled - not without triggering a fault code and a tell-tale. Since eCall is considered a safety-critical system it has self-monitoring and must work for the vehicle to pass inspection. It even has its own separate power supply. This is true for any vehicle (type) newer than ~2018 in the EU. This probably makes tracking the rough location of any eCall-equipped vehicle quite easy, if you have signaling-level access to the cell network – exactly like in all those SS7 exploits.

edit: turns out they thought about that and eCall modules aren’t supposed to constantly stay connected to a cellular network (dormant mode). Instead they only log onto the cellular network when needed. Difficult to verify as a consumer though.

nullc 15 hours ago||||

> Kias have a “Massachusetts mode” flag hidden behind a service menu (that needs a dealer code) that disables telematics at the owner’s request.

I would be very concerned that the flag just continues to submit your data but with a "telematics disabled" bit set on it. This is absolutely how location privacy is implemented in some devices. Moreover, even if it is effective it could be remotely reset including accidentally as part of an update.

Better than not setting it, I suppose! :)

giancarlostoro 14 hours ago|||

I'm more afraid of the likelihood of someone smashing the window on a modern Kia thinking they can start it up with an iPhone lightning cable (just look up "Kia Boys" if you're confused by any of this) and drive off with it, when in fact, they cannot anymore. Unfortunately, until people stop breaking into Kias I'll avoid the brand in perpetuity.

xattt 10 hours ago|||

Nah, not an issue in Canada since immobilizers are mandatory.

giancarlostoro 9 hours ago||

Not an issue with modern Kias in the US since they come with them but previous models did not, so guess what people will break into it regardless. Criminal will break the window, try and then leave your car damaged.

kotaKat 1 hour ago||||

OK, except the kids these days have the cheap Autel immo/key programmers and the Autel universal keys. They're just cracking into cars, plugging in the Autel, and running the all-keys-lost procedure on quite a few makes and models and just driving away.

You can get an Autel KM100 for under ~$400 from China. Worked great to program in a couple spare keys for my car and less than what the dealer was gonna charge...

https://www.10tv.com/article/news/local/teens-indicted-colum...

drnick1 17 hours ago||

Older Toyotas also had a DCM fuse, and this was the easiest way to get rid of telemetry. I am not sure if partially disassembling the dash and physically removing the DCM is now necessary.

arkadiyt 17 hours ago||

There's still a fuse for the DCM even in this car but:

- It has an internal battery and will keep running for quite a while after pulling the fuse. This is a safety feature in case you get in a crash that disconnects the 12V battery

- It will break your in-car microphone as discussed. Repairing that requires opening up the dash

- That won't do anything for disconnecting the GPS antenna

brewdad 15 hours ago||

GPS is receive only. If you've disabled the ability to send telemetry, there should be no reason to be concerned about the GPS antenna.

fc417fc802 15 hours ago|||

If it keeps collecting telemetry it could upload it later if it ever gets the chance. Better it isn't collected in the first place.

drnick1 14 hours ago|||

Good point, but in practice I think the only way onboard data could be exfiltrated is by a dealer while the car is being serviced. If you DIY or hire an independent mechanic, this seems unlikely.

throwway120385 13 hours ago||

Or by the FBI, NSA, CIA, DHS, or some other interested entity.

willis936 13 hours ago|||

If a TLA is interested in you then you don't need to worry about a data log in your car.

Arch-TK 11 hours ago||

I find comfort in thinking that, if a TLA is interested in me, they have to work a little bit harder.

willis936 9 hours ago||

They don't. They have all internet traffic dragnetted and satellite imaging and radar far beyond what is publicly disclosed. They don't need to check in with some low res crap that insurance companies use to nickel and dime you. If you're trying to escape surveillance and control from TLAs then you better start your moon base plans soon.

mothballed 11 hours ago|||

The kind of organized crime that those people should be focused on are also resistant to this kind of tracking. The cartels and gangs just use burner cars that they dump, possibly with the keys and title still in it. Good luck doing much with the log but you've got the log and even the entire car to try and gather all the evidence you want. This tracking is mainly for hemming up small fry and productive citizens.

willis936 13 hours ago|||

That also means it isn't passed to your phone via android auto / carplay. Phone GPS is much worse than car GPS for road navigation. It's basically unusable.

Arch-TK 11 hours ago||

I've successfully used it in my 2006 Ford Fiesta for about 10 years now...

The reliability is way better than GitHub's uptime.

Better even than my car's uptime.

You must work in telco.

99.9999% or it's unusable :P

willis936 9 hours ago||

My SO immediately sniffed out when the GPS antenna was unplugged from a car with carplay. Unacceptably low spouse approval factor.

kotaKat 1 hour ago||||

My Ford ~(2018 era SYNC system) has GPS and Bluetooth but no cellular modem.

It still technically is used for telemetry... but only when you get into a wreck. It'll ping the onboard GPS at that time for coordinates, then place a voice call over your paired cellphone to 911 with TTS coordinates and information about the wreck.

"Attention. A side crash with rollover has occured in a Ford vehicle. Multiple impacts detected. The maximum speed change was 38 miles per hour. Airbags deployed. Detected ONE seatbelt fastened. Press 1 at any time for location information, or press 0 at any time to speak with vehicle occupants."

arkadiyt 15 hours ago|||

This is addressed in the blog :)

ezfe 17 hours ago||

Just a note about Toyota specifically - There are many blog posts and articles out there alleging that Toyota shares your data with insurance companies.

As I own two Toyota's I have read through these carefully and consistently the theme is that the owner was opted into this program without knowing it (likely by the sales person clicking through setup steps to enable every feature). If you are not opted in, I have seen no evidence they share driving data.

When I set up my Toyotas, the app clearly walks through the programs they have and you must click either "yes/opt in" or "no/opt out" for each program. It is not opted in by default.

dylan604 15 hours ago||

I've bought multiple Toyotas from the same dealer, and each time the sales person has been overly aggressive about setting up the app and connecting to the car. The first time I let them do it to a point as I had not seen what it did, but had to prevent them from syncing contacts. After that, I had to be very stern about not needing help to set up an app I was never going to use. I don't know if they are used to neophytes being unable to handle this and think they are doing a service or if it's a push to get people to connect/sync as much as possible.

giancarlostoro 14 hours ago|||

> I don't know if they are used to neophytes being unable to handle this and think they are doing a service or if it's a push to get people to connect/sync as much as possible.

Likely doing it to remove any frustrations from the brand new buyer being unable to figure out how to set it all up. The last thing you need is someone changing their mind about the car they just bought, because well if setting up the app is a PITA, what else is terrible about the car?

dylan604 13 hours ago||

The main problem I had with it is the fact it requires an app in the first place. Once they have an app on your phone, they have access to so much data. The app by nature of the functions it performs will need GPS, Bluetooth, and Contacts at a minimum. Once they have that access, there's nothing stopping them from using it for whatever they want. That's just absolutely not something I'm willing to give a car app. Do we really think their map/routing app will be better than something else I could use instead? I don't even like using map apps because of their power to snoop and report.

ezfe 13 hours ago||

There's no app requirement to use the car, only the app features.

dylan604 11 hours ago|||

wow, did you read too much into that one my friend. of course it's not needed for using the car. it's needed to use the in dash mapping feature.

ezfe 10 hours ago||

Okay so I read your comment to say you didn’t want their mapping service so assumed it was more broad. My bad.

That being said, on re-reading the Toyota app does not require location/Bluetooth/Contacts to set up.

jabroni_salad 15 hours ago||||

according to some guys on r/askcarsales the manufacturers have required KPIs for onboarding app users so they just have to do it.

addaon 14 hours ago|||

I assume any dealer who's comfortable signing a contract (terms of service) on your behalf is comfortable with you signing a contract on their behalf. Time to write yourself a new car.

danbrooks 13 hours ago|||

This aligns with my understanding.

Before 2018-2019, the opt-in process for data sharing was hidden on a website somewhere. Around that time, the form became part of the vehicle purchasing process.

ndesaulniers 14 hours ago||

There was a recent class action suit against GM for this.

Barbing 17 hours ago||

> Unfortunately I think it’s only a matter of time before the modem and GPS become more deeply integrated into the car (making this blog post infeasible), or cars have more drastic failure modes when the modem/GPS is removed, or anti-right-to-repair laws get passed to further clamp down on this behavior.

Guaranteed

hughw 11 hours ago|

It's for the safety of the children.

eigencoder 15 hours ago||

> Important: Even after the modem is removed, if you connect your phone to the car via Bluetooth then the car will use your phone as an internet connection and send all the same telemetry data back to Toyota.

How is this the case? I thought bluetooth was just sharing my phone's audio. Why would it allow requests over the internet? Surely there's a way to tell the phone not to give its internet connection to any connected bluetooth device?

stuckindoors 15 hours ago||

When reading the article I think he appears to be talking about car play/android auto connection not audio only connections. I think Bluetooth in AA and Carplay is used to configure a local network between the phone and the car to transmit the images to the cars screen. I would assume that that data capability can also be used for the car to communicate with the Internet.

ezfe 14 hours ago|||

It does produce a local Wi-Fi network but there's no evidence that it supports internet communication. That would be considered a hotspot, which not all carriers even support.

zakisaad 13 hours ago|||

I've never understood how this can be limited in practice: surely as far as the carrier is concerned, all traffic from the mobile device is the same (unless there are identifiers on the traffic coming from hotspotted devices via the mobile device). Here in Australia we've never had any form of hotspot detection/segmentation - if you have a data plan, all data features work (across all carriers). I do recall lots of online chatter from the US though, especially years back when mobile data was more of a precious resource.

ezfe 13 hours ago|||

Your phone voluntarily tags the hotspot data with specific TTL values which carriers use to segment the data. Not all carriers work the same though.

singron 11 hours ago|||

Specifically it decrements the TTL of routed packets, so hotspot traffic will tend to have a TTL of 63 instead of 64. You could theoretically disable this at the risk of creating infinite routing loops, although android probably makes it inaccessible if the kernel has a setting for it at all, so you might have to rewrite packets in user space.

josh3736 2 hours ago||

It has been a long time since I've done this, but:

If your Android is rooted, it's pretty easy to get tethering working. There's magisk modules that can fix the TTL problem and/or disable the hidden carrier-installed software that Android will ask for permission before enabling tethering.

rkagerer 11 hours ago||||

Different applications on a single device can't apply different TTL's? I thought TTL was a pretty basic knob exposed to applications. e.g. A sensor that transmits fresh data every 20 seconds doesn't need stale packets bounding around clogging up the pipes, while a file transfer over an intermittently delayed link might benefit from a higher TTL.

eptcyka 11 hours ago||||

Voluntarily tags specific TTL values much like your home router does. Some providers assign a different IP to hotspot users.

taneq 11 hours ago||||

> voluntarily tags

Aah, you mean ‘snitches’. :P

jamiek88 11 hours ago|||

Super easy to spoof too.

drtz 13 hours ago||||

> surely as far as the carrier is concerned, all traffic from the mobile device is the same

Going on a bit of a tangent, but deep packet inspection can identify packets routed using NAT, so if the phone is operating as a typical hotspot it would be identifiable by your carrier. Carriers in the USA used to block / denylist / charge extra for tethering using this exact approach.

HDBaseT 13 hours ago||

Deep Packet Inspection presumably requires a certificate to be installed on my device to allow my connection to be MiTM'd.

codebje 12 hours ago|||

DPI can refer to inspecting beyond just the headers, but since it's more of a marketing term than a technical one, you could also say you're "deeply inspecting" the IP headers of a packet and no-one would show up to arrest you for bad terminology.

Anyway, one way to detect NAT is to observe different TTLs originating from one device. Is that deep inspection? Probably depends on who you ask. The fact that you have to track information across multiple packets counts for something, though.

Off the top of my head I wouldn't really expect there to be much value in a MITM inspection of the contents of HTTP traffic for the purposes of NAT detection. You could probably come up with some scenarios in which it might be possible, but I'd content those scenarios aren't very practical. Easier to compare TTLs between packets, say, or track connections to known OS "phone home" destinations. While these just use information from the IP layer, they're stateful observations requiring comparisons across multiple packets, and that might count for something.

One way to detect a shitty carrier service, though, is that they're inspecting your traffic for "good" or "bad" uses of their service, because that is a good indicator that they're not just a carrier. I call it Dickish Practices Identification, or DPI.

akerl_ 12 hours ago||||

DPI is distinct from TLS MITM (though many enterprise devices offer both).

The delineation here is between "shallow" packet inspection (which basically nobody refers to because it's just a normal part of networking), where network devices look at just the bits of the packets they need to route / NAT / etc them appropriately.

DPI can tell a ton of things without needing to MITM encrypted layer 7 traffic.

A boring example is that you can tell TLS from OpenSSH traffic just by seeing the initial handshake. sslh ( https://github.com/yrutschle/sslh ) takes advantage of this on the server side to let you run both on the same port.

A less boring example is identifying OpenVPN, Wireguard, etc traffic regardless of what port they're run on, to enable blocking VPN traffic on a network.

ninjaoxygen 12 hours ago|||

At one point it was definitely not so deep... carriers were literally looking at the IP TTL and seeing whether it was a recognised value from the phone or a few hops less than one of the common defaults, in which case it was considered tethering traffic.

You could spoof it by finding out your mobile's TTL, overriding the TTL in the connecting device to be one higher than the mobile.

HnUser12 12 hours ago||||

I recently switched to a carrier (Fido/Rogers in Canada). My plan limits hotspot by disabling the hotspot settings on ios. However, I was able to enable it again by changing the access point name.

Centigonal 11 hours ago||||

On android, there is an OS-level feature that checks the cell tower to verify if you're allowed to create a hotspot. It runs whenever you try to enable the hotspot feature. On rooted systems, you can disable this check. There are also apps that let you run a hotspot without using the OS feature, bypassing the check.

taneq 11 hours ago|||

I believe there’s some stuff like that for commercial things. One project I worked on used an ‘IoT portal’ for cloud based telemetry (at the customer’s request) and we had to get a special SIM card for it (although I don’t know if this is still needed.)

rconti 14 hours ago||||

Plus it seems unlikely that the telematics module is even really related to the display screen stuff, let alone being configured to use alternate network connections to transmit data.

dotancohen 13 hours ago|||

How does the carrier know that the traffic is being proxied for another device, and not e.g. requested from the phone's web browser or another app?

Does the phone add a proxy header? Can it be configured to not add the header?

svens_ 13 hours ago|||

There might be multiple methods and heuristics, but one way that I have encountered was based on packet TTL.

Android and Linux use 64 by default - the block could be circumvented by setting the laptop to use 65 TTL.

ywain 13 hours ago|||

Mostly by looking at packets TTL. It gets decreased by 1 by the hotspot’s NAT so if the value is something like 63 or 127 (instead of 64 or 128 which are the defaults for most platforms) then it’s almost certain the packet originated from a device behind the phone and not from the phone itself.

happyPersonR 14 hours ago|||

Does anyone have a flow log or pcap or something from the phone showing this tho?

pelotron 14 hours ago|||

I think there are details being left out. But several people in the comments indicate that there is a Toyota app that provides various features. I bet the app implements some proprietary bluetooth service that the head unit connects to and feeds information through. Or maybe they give the head unit a straight pipe to the internet via that service.

ezfe 14 hours ago||

That very much could be the case, in which case deleting the (now useless, because your car is not connected) app would resolve that - no bluetooth restriction needed.

masfuerte 12 hours ago|||

There is a bluetooth protocol for cars to piggyback on your phone's internet connection. There was an article about it here a couple of years ago but I've forgotten the name of the protocol, and trying to search for it turns up a lot of irrelevance.

The fix for this is a phone that doesn't implement that protocol, i.e. not Android or iOS.

IncandescentGas 14 hours ago|||

Is this specific to carplay, or can other bluetooth devices also silently and nefariously hijack your cellular data connection?

jrmg 14 hours ago||

Neither CarPlay nor regular Bluetooth connections allow this. It’s not a thing.

(There is the ability to set up a Bluetooth hotspot on a phone and allow Internet sharing over Bluetooth, but that’s a different thing entirely and you have to explicitly set it up and use it. It’s also slow compared to a modern WiFi hotspot).

j45 14 hours ago||

The bluetooth protocol includes the ability to network, and share connections like a mobile/personal hotspot.

Older versions of bluetooth may have other networking capabilities.

PinguTS 1 hour ago||

Be careful messing with your (modern) car like this. It may work at first glance. In some time in the future you may not be able to unlock your car.

As mentioned in the article as part of the introduction, there were problems with those car regarding security. Especially with the Rav4 where a colleague, Ken Tindell, showed a very serious flaw: https://kentindell.github.io/2023/04/03/can-injection/

Because of this OEMs build in more and more security, like SecOC with Autosar and other similar things. More and more of those security feature depend certificates in the devices that have an expiration time. Those certificates needs to be rotated regularly. If the rotation does not happen, because of missing communication with the mothership, then the security will fail, which finally will lock you out of your car.

That will be true for all the coming luxury car models.

IRC, Tesla has something like this for years in their cars. They can be offline for a certain period of time. But when this runs out, you will be out of luck.

bobmcnamara 56 minutes ago||

It's a Toyota - you already can't unlock it in heavy rain.

benob 1 hour ago||

Does changing the date fix it?

s3p 15 hours ago|

I would like everyone to know that if you have a brand new Kia, the process is even easier. I spent $20 on the Kia service manual access (didn't even know that was a thing until I read OP's post) it finally figured it out.

Modern Kias with the CCNC cockpit have a data connectivity unit that exclusively handles cellular. If you can get this unit unplugged, which only requires two Phillips head screws to remove, your set. It took me nearly 2 years to figure this out. Thanks OP

hedora 7 hours ago||

If you are considering purchasing a Kia, insist on getting a loaner or a 24 hour test drive.

The active driver assistance features are criminally dangerous.

Sadly, the current administration is more interested in illegally locking Kia’s engineers in cages than actually enforcing consumer protection or safety regulations.

Anyway, avoid them and Hyundai. If you don’t believe me, drive in rush hour for 30 minutes and frequently change lanes. Be sure to be on the road at dusk and dawn to get the full experience, where glare confuses the onboard cameras, so regen braking flaps on and off, and it repeatedly overrides steering and sets of spurious cabin alarms.

I’d suggest parking a few times at a costco during peak hours, but I don’t want to get anyone killed.

4rt 3 hours ago||

I hired a peugeot something (MPV) to drive in the french alps and it was insanely dangerous.

Driving mountainous switchbacks with very tight corners it was so strict about not wanting to cross the central line that it frequently tried to dump me into either the mountain or over the cliff.

Similarly on straight 2 lane roads where only really the centre was clear of snow and ice it was adamant that I should be driving with 2 wheels in deep snow instead of daring to drive in the middle.

HDBaseT 11 hours ago||

Any clues on how to disable any telemetry on a Kia Stinger?

s3p 3 hours ago||

Yes!! I still have access to all their service manuals for the next 48 hours.

What's your year model and engine? I'll look it up.

More comments...