[emidln]

My 2025 Mazda Miata has a CAN connected Telematics Control Unit that sends a bunch of data to Mazda on ignition off. Among this data is acceleration and velocity data along with coordinates sampled for where you were. It is also used as a gateway for the Mazda app to start your car, query your vehicle's tire pressure, etc. It is claimed that you can opt out of this by calling Mazda and being persistent.

The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board and a can transceiver to enable writing a two way filter capable of blocking the traffic that didn't raise any DTCs (that I observed) and could be turned on/off by the user. I preferred this approach to complete disconnection of the module (which is noticeable via errors at the diagnostic port) or trying to faraday cage or disable the antennae on the TCU so it can't remotely send/receive. I can also turn off my module or completely remove it before I sell it.

I fear the next version of Miata will be an encrypted CAN like most other cars have moved to and even with my expertise I won't be able to access the latest safety features from new cars without surrendering what little privacy I've been able to claw back.

[wormslayer666]

I opted to try the "beg the manufacturer to turn off the panopticon" approach[1]. The first time I got 2 hours of elevator music before hanging up, the second I went through 3 levels of customer support before they claimed it was done (3 days later). Might have to steal your approach to verify that though...

[1] https://www.mazdausa.com/site/privacy-connectedservices

[nja]

Have you posted any writeups or other information about how you built this? I'm eyeing a Mazda as a next car (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon), and telemetry seems like one of the few downsides to an otherwise good carmaker. Would be very interested to learn more!

[tavavex]

> (I've never owned a car newer than a 2014, and outside of that one, any newer than 2006, but family safety needs may lead to getting a newer car soon)

I don't know much about automotive safety, but has much actually changed since 2014 in terms of safety standards? I had thought that by the 2010s, basically everyone big had already figured out how to build a relatively safe car from a structural standpoint. Or are you only talking about electronic assistive features, like proximity sensors or lane assist?

[M95D]

> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board

And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)

[emidln]

I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.

[andrei_says_]

As anonymous as there are Miatas in your neighborhood parking in your driveway.

[mindslight]

It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.

I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.

(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))

[emidln]

If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.

[rockskon]

The DoJ lost the case they went after for someone guessing URLs.

[monerozcash]

They lost it because they charged in the wrong jurisdiction.

Also come on, you can't reasonable describe that case as being about "guessing urls". It's the associated chat logs that really make the case.

[red-iron-pine]

link me

[vkou]

You think criminalizing guessing URLs is unreasonable.

What about guessing passwords? Should someone be prosecuted for just trying to bruteforce them until one works?

[estimator7292]

Guessing passwords is an attempt to access privileged information you have no right to access, and could not otherwise access without bypassing security measures.

Guessing a URL is an attempt to access (potentially) privileged information which was not secured or authenticated to begin with.

A password is a lock you have to break. An unlisted URL is a sticky note that says "private" on the front of a 40" screen. It's literally impossible for that information to stay private. Someone will see it eventually.

[BobbyTables2]

Guessing URLs is equivalent to ordering an item not on the menu in a restaurant. The request may or may not be granted.

[wakawaka28]

Passwords are different from URLs because URLs are basically public, whereas passwords aren't supposed to be. Furthermore, this is not 1995. Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary. The physical analogy would be, walking through an unlocked and unmarked door that faces the street in a busy city, versus picking a lock on that door and then walking through it.

[nkrisc]

How do I know which URLs of a website are legal to visit and which are illegal?

[Dylan16807]

It depends on stuff.

Sometimes a URL can have a password in it.

But when it's just a sequential-ish ID number, you have to accept that people will change the ID number. If you want security, do something else. No prosecuting.

[irilesscent]

I think criminalising both is unreasonable, what you do with the URL you accessed or the password you guessed however is different.

[mindslight]

As a strictly logical assertion, I do not agree. Guessing URLs is crafting new types of interactions with a server. The built in surveillance uploader is still only accessing the server in the way it has already been explicitly authorized. Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.

As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.

[monerozcash]

>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

If your goal is to deliberately "poison" their data as suggested before, it's kind of obvious that you are knowingly causing the transmission of information in an effort to intentionally cause damage to a protected computer without authorization to cause such damage.

>Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.

This has very little to do with the TOS though, unless the TOS specifically states that you are in fact allowed to deliberately damage their systems.

And no, causing damage to a computer does not refer to hackers turning computers into bombs. But rather specifically situations like this.

[cameldrv]

It might be interesting for an enterprising lawyer to try to flip this around. Suppose you send a letter to your car manufacturer saying that, as the owner of the car, you are prohibiting them from accessing the location of the car or performing unauthorized software updates and that any attempt to circumvent this will result in criminal prosecution for unauthorized access to your computer.

[monerozcash]

Prosecuting someone for deliberately injecting garbage data into another persons system hardly seems totalitarian.

> You own the device, so anything you do within that device is authorized

You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.

>I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law

FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".

The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf

[elzbardico]

My device. I generate whatever the fuck the data I want. If you log it, kiss my ass.

[monerozcash]

Sure, I have the same attitude when it comes to the government telling me that I'm not allowed to use drugs. Doesn't mean I'm in the clear from a legal point of view.

However, it's worth clarifying that the important detail isn't generating the data, but sending it. Particularly the clearly stated malicious intent of "poisoning" their data.

This seems like exactly what the lawmakers writing CFAA sought to criminalize, and is frankly much better justified than perhaps the bulk of things they tend to come up with.

>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

Doesn't seem exactly unfair to me, even if facing federal charges over silly vandalism is perhaps a bit much. Of course, you'd realistically be facing a fine.

[ponector]

If you paid for a device it doesn't mean you have no rules set up on how you can operate it. I'm sure the is an EULA you agreed to.

As anecdote, while buying a new car I signed a statement that I'm not going to resell it to russia.

[JuniperMesos]

No it does in fact seem totalitarian. I support repealing the CFAA.

[monerozcash]

I would absolutely love to hear the arguments behind this.

[AngryData]

If you were to purposefully try to poison/damage their dataset and admitted as such you probably wouldn't win without spending an unreasonable amount of money on lawyer fees. Without admitting anything though and claiming ignorance it would probably be pretty easy to get dismissed, provided you are able to spend atleast some money on a lawyer.

[culi]

Then do the opposite. Poisoned data that can improve your insurance rates

[MisterTea]

if(velocity > 55) velocity = 55;

[micromacrofoot]

they use the data mostly to charge you more, you can't really get the price all that lower

I've had a clean driving record for 30 years and I'm still paying the junk rates most other people get

[tavavex]

So, it's like credit scores, basically? Advertise a happy, meritocratic future for consumers, where the "better"/more responsible ones will reap massive rewards at the expense of the "worse" consumers, and then keep adjusting the brackets until the system is only used punitively - you don't really get anything from a high score nowadays, your only goal is clearing a certain low bar to avoid negative consequences.

[micromacrofoot]

Yeah exactly... it's stick or no stick, the carrot is the razor thin margin only used to keep you away from the competitors.

At this point car insurance has gotten so bad that it's becoming normal that you can save hundreds of dollars by switching providers every 6 months. These companies are probably making millions on people who are just too exhausted to switch constantly.

[elzbardico]

Oh man. Logging insane average speeds and ludicrous acceleration during rush hour. Deliciously tempting idea.

[idiotsecant]

Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.

[tehjoker]

A data scientist will simply filter out impossible data when conducting an analysis

[elzbardico]

That’s why you make this as popular as possible

[tehjoker]

that only works if the values are plausible

[GuinansEyebrows]

you give a lot of credit to an industry poisoned by the profit motive

[tehjoker]

Just make sure you are criticizing the industry on things that are real. Accurate data collection (put not necessarily publication to a broad audience) is something industry does. Decision makers want to understand reality, they don't necessarily want you to though.

[drnick1]

I see absolutely no reason not to completely unplug the cellular modem. The only thing that would stop me is an annoying error message or warning light in the gauge cluster. My car does not display any of these, but unplugging the modem results in losing the right speaker and microphone, unless a bypass harness is used.

[vitaflo]

The modem is usually in the sharkfin with the XM radio chipset and GPS. If you can unplug it at the sharkfin that's usually the best course of action. Some cars may bark at you, but mine just says it can't detect GPS if I attempt to use it (which I never use anyway).

[MrDrMcCoy]

Wouldn't it be better to connect resistive pigtails to the antenna connectors on the board? A little more work to get to, but less risk to damaging paint and weather seals, and would do a better job preventing signal leakage. I'm no expert on such things, but will definitely be looking at something like that for the next car I buy.

[vitaflo]

Not sure what you mean, the antennas are on the sharkfin board and you get to it from under the headliner not from the top of the car. It's much easier just to disconnect the cable that goes to the sharkfin than actually removing the entire module in the sharkfin.

[MrDrMcCoy]

Ah, didn't know there was a board in there or that there was a way to get to it from the cabin.

[CamperBob2]

I fear the next version of Miata will be an encrypted CAN like most other cars have moved to

As I understand it, they're required to do that now if they want to sell in the EU. They emphatically do not want anyone tinkering with their cars.

[bri3d]

They don’t want people modifying ADAS systems mostly, and the main requirement is SecOC, which is cryptographic authentication but the message is still plaintext. Basically they don’t want third party modifications able to randomly send the “steer left” message to the steering rack, for example.

[rconti]

The ADAS systems mandated in Europe are insanely intrusive. I had a few rental cars in Europe this summer and wanted to send them off a cliff. (and I'm not an auto tech luddite, I've had modern cars in the US with autopilot type systems, lane keep, blind spot warning, rear traffic assist radar, forward collision warning, etc. IMO rear traffic assist/FCW/AEB tend to work really well, autopilot pretty well, and lane keep and blind spot silly gimmicks at best).

Bring on the full self-driving cars, or let me drive my own car. This human-in-the-loop middle state is maddening. We're either supervising our "self-driving, but not really" cars, where the car does all of the work but we still have to be 100% aware and ready to "take over" the instant anything gets hard (which we know from studies is something humans are TERRIBLE at)... Or, we're actively _driving_ the car, but you're not really. The steering feel is going in and out as the car subtly corrects for you, so you can't trust your own human senses. Typically 40% brake pedal pressure gets you 40% brake pressure, unless you lift off the throttle and hop to the brakes quickly, in which case it decides when you apply 40% pedal pressure you actually want 80% brake pressure. Again, you can't trust your human senses. The same input gets different outputs depending on the foggy decisions of some computer. Add to that the beeping and ping-ponging and flashing lights in the cluster.

It's like clippy all over again. They've decided that, if one warning is good and helpful, constant alerts are MORE good and MORE helpful. Not a thought has been given to alert fatigue or the consequences of this mixed human-in-the-loop mode.

[mattclarkdotnet]

So much this. We had a rental BYD in Greece this summer, and while it was actually great car in general the mandated “assistance” was awful.

It constantly got the speed limits wrong, constantly tried to tug me out of the correct lane, and was generally awful. It could be disabled but was re-enabled on each restart of the ignition because it’s mandated by EU regulation.

I appreciate a Greek island perimeter road may be a worst case scenario, but it did the same with roadworks on the freeway and many other situations.

Actively dangerous in my experience…

[hdgvhicv]

“Lane keep” yanks the wheel dangerously because it incorrectly detects the lane, or because you don’t indicate to pass a pothole on an empty road (which itself would be confusing to other road users)

Forward collision warning has misfired on 2 occasions on me in the last 3 years

The main issue is that so many cars have broken “auto dipping” headlights which don’t dip, or matrix headlights which don’t pick out other cars.

This automation shit should stop, but it won’t.

parking beepers are reasonable, they simply come on occasionally and don’t actually interfere when they go wrong. The rest of it just makes things far worse at scale.

[emidln]

> Forward collision warning has misfired on 2 occasions on me in the last 3 years

My Lexus is afraid of a bush behind my garage in the alley. It's on a neighbors property and not really overgrown, but my car refuses to get within about 5 ft of it. Makes backing out a nightmare. I haven't figured out a way to disable it, and have considered just selling this 2025 NX.

[toast0]

> I haven't figured out a way to disable it, and have considered just selling this 2025 NX.

I found this for the TX, might work for the NX as well?

Try disabling Parking Support Brake under vehicle settings > drive assist.

[mistrial9]

parking beepers -- that do not go off immediately when you start a parked car

[CamperBob2]

Yes, and to do that, CAN must be encrypted. The idea isn't just to secure it from hackers. The idea is to secure it from owners.

[bri3d]

> SecOC, which is cryptographic authentication but the message is still plaintext

[CamperBob2]

Oh, OK, that's better. I can see what my car is doing, I just can't do anything about it.

[RealityVoid]

I integrated SecOC on some ECU's at work. I hate myself for it. I frigging hate what they're doing with this. I think it's going to make cars less repairable, less modifiable. It's a horrible horrible stupid initiative in the name of "cybersecurity".

[bri3d]

I understand notionally where they were going, but it all sort of went off the deep end somewhere along the line. A concern that someone buying some "mileage blocker" or whatever other shady device off of AliExpress might be vulnerable to the device steering their car into a wall is actually quite a valid one, but of course the solution is some overcomplicated AUTOSAR nightmare that doesn't solve for key provisioning in a way to make modules replaceable.

[RealityVoid]

I have less trust in their good intentions. I think OEM's want to lock down their platforms in order to squeeze extra revenue streams. And I tend to be quite charitable with my interpretations.

As an aside, I checked out your GitHub. Cool projects, the vag flashing tool looks super useful, might actually give it a spin in sive development projects.

[culi]

For anyone else confused, Diagnostic Trouble Codes (DTCs). Automotive context

[ranger_danger]

Can't you just turn off "Connected Services" in the menu?

I have been canceling that stupid warning message it presents when leaving it off, every day for several years now.