Malware In Cars

Malware means software designed to function in ways that mistreat or harm the user. (This does not include accidental errors.)

Malware and nonfree software are two different issues. The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.

Some examples of malware in cars are listed below.

If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.

Volkswagen programmed its car engine computers to detect the Environmental Protection Agency's emission tests, and run dirty the rest of the time. In real driving, the cars exceeded emissions standards by a factor of up to 35.

Using free software would not have stopped Volkswagen from programming it this way, but would have made it harder to conceal, and given the users the possibility of correcting the deception.

Former executives of Volkswagen are being sued over this fraud.
Tesla cars collect lots of personal data, and when they go to a junkyard the driver's personal data goes with them.
The FordPass Connect feature of some Ford vehicles has near-complete access to the internal car network. It is constantly connected to the cellular phone network and sends Ford a lot of data, including car location. This feature operates even when the ignition key is removed, and users report that they can't disable it.

If you own one of these cars, have you succeeded in breaking the connectivity by disconnecting the cellular modem, or wrapping the antenna in aluminum foil?
New GM cars offer the feature of a universal back door.

Every nonfree program offers the user zero security against its developer. With this malfeature, GM has explicitly made things even worse.
In China, it is mandatory for electric cars to be equipped with a terminal that transfers technical data, including car location, to a government-run platform. In practice, manufacturers collect this data as part of their own spying, then forward it to the government-run platform.
GM tracked the choices of radio programs in its “connected” cars, minute by minute.

GM did not get users' consent, but it could have got that easily by sneaking it into the contract that users sign for some digital service or other. A requirement for consent is effectively no protection.

The cars can also collect lots of other data: listening to you, watching you, following your movements, tracking passengers' cell phones. All such data collection should be forbidden.

But if you really want to be safe, we must make sure the car's hardware cannot collect any of that data, or that the software is free so we know it won't collect any of that data.
AI-powered driving apps can track your every move.
Bad security in some cars makes it possible to remotely activate the airbags.
Tesla used software to limit the part of the battery that was available to customers in some cars, and a universal back door in the software to temporarily increase this limit.

While remotely allowing car “owners” to use the whole battery capacity did not do them any harm, the same back door would permit Tesla (perhaps under the command of some government) to remotely order the car to use none of its battery. Or perhaps to drive its passenger to a torture prison.
The mobile apps for communicating with a smart but foolish car have very bad security.

This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such a car, it would be wise to disconnect the modem so as to turn off the tracking.
Audi's proprietary software used a simple method to cheat on emissions tests: to activate a special low-emission gearshifting mode until the first time the car made a turn.
Due to weak security, it is easy to open the doors of 100 million cars built by Volkswagen.
Computerized cars with nonfree software are snooping devices.
The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to access its computers remotely and make changes in various settings.

That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, which means it demands blind faith from its users.

Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem, though.
Caterpillar vehicles come with a back door to shutoff the engine remotely.
Security researchers discovered a vulnerability in diagnostic dongles used for vehicle tracking and insurance that let them take remote control of a car or lorry using an SMS.
Crackers were able to take remote control of the Jeep “connected car”. They could track the car, start or stop the engine, and activate or deactivate the brakes, and more.

I expect that Chrysler and the NSA can do this too.

If I ever own a car, and it contains a portable phone, I will deactivate that.
DRM in cars will drive consumers crazy.
Tesla cars allow the company to extract data remotely and determine the car's location at any time. (See Section 2, paragraphs b and c of the privacy statement.) The company says it doesn't store this information, but if the state orders it to get the data and hand it over, the state can store it.
Proprietary software in cars records information about drivers' movements, which is made available to car manufacturers, insurance companies, and others.

The case of toll-collection systems, mentioned in this article, is not really a matter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replaced with anonymous payment systems, but the invasion isn't done by malware. The other cases mentioned are done by proprietary malware in the car.
It is possible to take control of some car computers through malware in music files. Also by radio. More information in Automotive Security And Privacy Center.