Hacker News new | ask | show | jobs
by sfaxon 1011 days ago
I own a VW ID.4. For reasons I wanted to reverse engineer some of the API. After authenticating to the account tied to my car, the landing page (https://www.vw.com/en/owners.html) makes calls to a lot of analytics trackers. I'll just list what pi-hole defaults block:

analytics.tiktok.com

sp.analytics.yahoo.com

googletagmanger.com

universal.iperceptions.com

cdn4.userzoom.com

snap.licdn.com

secure-ds.serving-sys.com

bat.bing.com

ct.pinterest.com

adherent.com

And a few others. I would guess the phone app (which has access to the car location) has a similar list of trackers. I hope to get some time to MITM the app to be able to know for sure.
1 comments
creeble 1011 days ago
Just to be clear, these are trackers from the web page, not trackers called by your car, correct?

I'm never surprised by the web trackers (which my ad blocker generally filters too), but 3rd-party trackers called from devices/vehicles seems more insidious.

Although the car / IoT companies can just as easily outsource the data once they have it anyway.

link
Nextgrid 1011 days ago
They however still have access to the JS context and thus the authenticated session when you are on the website. They can most likely exfiltrate all the data visible on the page and maybe even the auth token for further server-side misuse after you've closed the page.
link
sfaxon 1011 days ago
Yes, this is from the web page. Where I can manage my vehicle (see VIN, etc) and has my home address, dealer information, etc.

I would be interested to hear of a way to intercept internet traffic between the vehicle and the internet.

link
waterheater 1011 days ago
If you're being extra paranoid, you'd need to spoof a cell tower. Spoofing a Wifi AP and monitoring traffic with Wireshark gets you network traffic, but you can't know if the vehicle sends certain information exclusively over the cell network, short of on-vehicle firmware and software analysis. Also, if you wanted to go with the Wifi approach, you need to force Wifi connectivity, which would probably mean going outside of cell tower coverage or unplugging the vehicle's cellular antenna, both of which may affect what the car transmits.
link
hedora 1011 days ago
Our GMC's telemetry showed up on the "list of crap you can delete" in my unused facebook account.
link