<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.84 1.92 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Malware In Cars
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
 <!--#include virtual="/proprietary/po/malware-cars.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      src="/graphics/icons/side-menu.png"
      title="Section contents"
      alt=" [Section contents] " />
</a>

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By product /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#if expr="$OUTDATED_SINCE" --><!--#else -->
<!--#if expr="$LANGUAGE_SUFFIX" -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="no" -->
<!--#include virtual="/server/top-addendum.html" -->
<!--#endif -->
<!--#endif -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware In Cars</h2>

<p><a href="/proprietary/proprietary.html">Other examples of proprietary malware</a></p>

<p>Here are examples of

<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in cars.</p>

<ul>  
<li>
<p>Tesla used a universal backdoor in its software to limit customers to
using just <a href="https://techcrunch.com/2017/09/09/tesla-flips-a-switch-to-increase-the-range-of-some-cars-in-florida-to-help-people-evacuate/">
part position of power over the battery of some cars</a>.</p>

<p>While remotely allowing car “owners” users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to use the whole battery
capacity did not do them any harm, detriment of the same back door would permit
Tesla (perhaps under users they ought to serve.</p>

<p>This typically takes the command form of some government) malicious functionalities.</p>
<hr class="full-width" />
</div>

<div class="article">
<div class="important">
<p>If you know of an example that ought to remotely order
the car be in this page but isn't
here, please write
to use none <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of its battery. Or perhaps a trustworthy reference or two
to drive its passenger serve as specific substantiation.</p>
</div>

<div class="column-limit" id="malware-cars"></div>

<ul class="blurbs">
  <li id="M202008181">
    <p>New Toyotas will <a
    href="https://www.theregister.com/2020/08/18/aws_toyota_alliance/">
    upload data to AWS to help create custom insurance premiums</a>
    based on driver behaviour.</p>

    <p>Before you buy a torture prison.</p> “connected” car, make sure you can
    disconnect its cellular antenna and its GPS antenna.  If you want
    GPS navigation, get a separate navigator which runs free software
    and works with Open Street Map.</p>
  </li>
  
<li>

  <li id="M202007010">
    <p>BMW will remotely <a
href="http://jalopnik.com/america-figured-out-a-new-way-audi-cheated-on-emissions-1788630969">
Audi's proprietary software used
    href="https://www.cnet.com/roadshow/news/bmw-vehicle-as-a-platform/">
    enable and disable functionality in cars</a> through a simple method universal
    back door.</p>
  </li>

  <li id="M201912171">
    <p>Most modern cars now <a
    href="https://boingboing.net/2019/12/17/cars-now-run-on-the-new-oil.html">
    record and send various kinds of data to cheat on emissions
tests</a>: the manufacturer</a>. For
    the user, access to activate a special low-emission gearshifting mode until the
first time data is nearly impossible, as it involves
    cracking the car made a turn.
</li>
  
<li>
<p>Caterpillar vehicles come car's computer, which is always hidden and running with a
    proprietary software.</p>
  </li>

  <li id="M201909160">
    <p>Tesla users claim Tesla <a
href="http://www.zerohedge.com/news/2015-11-19/caterpillar-depression-has-never-been-worse-it-has-cunning-plan-how-deal-it">
back-door
    href="https://www.reuters.com/article/us-tesla-battery/tesla-owner-lawsuit-claims-software-update-fraudulently-cut-battery-capacity-idUSKCN1UY2TW">force-installed
    software to shutoff cut down on battery range</a>, rather than replace the engine</a> remotely.</p>
    defective batteries. Tesla did this to avoid having to run their
    warranty.</p>

    <p>This means that proprietary software can potentially be a way to
    commit perjury with impunity.</p>
  </li>
  
<li>
<p><a
href="https://www.petri.com/volkswagen-used-software-to-cheat-on-emissions">
Volkswagen

  <li id="M201904150">
    <p id="M201509210">Volkswagen programmed its car engine computers to <a
    href="https://www.petri.com/volkswagen-used-software-to-cheat-on-emissions">
    detect the Environmental Protection Agency's emission tests</a>, and
    run dirty the rest of the time.</p>

<p>In time. In real driving, the cars exceeded
    emissions standards by a factor of up to 35.</p>

    <p>Using free software would not have stopped Volkswagen from
    programming it this way, but would have made it harder it harder to conceal,
    and given the users the possibility of correcting the deception.</p>

    <p>Former executives of Volkswagen are being <a
    href="https://www.theguardian.com/business/2019/apr/15/former-head-of-volkswagen-could-face-10-years-in-prison">
    sued over this fraud</a>.</p>
  </li>

  <li id="M201903290">
    <p>Tesla cars collect lots of personal data, and <a
    href="https://www.cnbc.com/2019/03/29/tesla-model-3-keeps-data-like-crash-videos-location-phone-contacts.html">
    when they go to a junkyard the driver's personal data goes with
    them</a>.</p>
  </li>

  <li id="M201902011">
    <p>The FordPass Connect feature of some Ford vehicles has <a
    href="https://www.myfordpass.com/content/ford_com/fp_app/en_us/termsprivacy.html">
    near-complete access to the internal car network</a>. It is constantly
    connected to the cellular phone network and sends Ford a lot of data,
    including car location. This feature operates even when the ignition
    key is removed, and users report that they can't disable it.</p>

    <p>If you own one of these cars, have you succeeded in breaking the
    connectivity by disconnecting the cellular modem, or wrapping the
    antenna in aluminum foil?</p>
  </li>

  <li id="M201812300">
    <p>New GM cars <a
    href="https://media.gm.com/media/us/en/gmc/vehicles/canyon/2019.html">
    offer the feature of a universal back door</a>.</p>

    <p>Every nonfree program offers the user zero security against its
    developer. With this malfeature, GM has explicitly made things even
    worse.</p>
  </li>

  <li id="M201811300">
    <p>In China, it is mandatory for electric
    cars to be equipped with a terminal that <a
    href="https://www.apnews.com/4a749a4211904784826b45e812cff4ca">
    transfers technical data, including car location,
    to a government-run platform</a>. In practice, <a
    href="/proprietary/proprietary-surveillance.html#car-spying">
    manufacturers collect this data</a> as part of their own spying, then
    forward it to the government-run platform.</p>
  </li>

  <li id="M201810230">
    <p>GM <a
    href="https://boingboing.net/2018/10/23/dont-touch-that-dial.html">
    tracked the choices of radio programs</a> in its
    “connected” cars, minute by minute.</p>

    <p>GM did not get users' consent, but it could have got that easily by
    sneaking it into the contract that users sign for some digital service
    or other. A requirement for consent is effectively no protection.</p>

    <p>The cars can also collect lots of other data: listening to you,
    watching you, following your movements, tracking passengers' cell
    phones. <em>All</em> such data collection should be forbidden.</p>

    <p>But if you really want to be safe, we must make sure the car's
    hardware cannot collect any of that data, or that the software
    is free so we know it won't collect any of that data.</p>
  </li>

  <li id="M201711230">
    <p>AI-powered driving apps can <a
    href="https://www.vice.com/en/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move">
    track your every move</a>.</p>
  </li>

  <li id="M201709290">
    <p>Bad security in some cars makes it possible to <a
    href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937">
    remotely activate the airbags</a>.</p>
  </li>

  <li id="M201709090.1">
    <p>Tesla used software to limit the part of the battery
    that was available to customers in some cars, and <a
    href="https://techcrunch.com/2017/09/09/tesla-flips-a-switch-to-increase-the-range-of-some-cars-in-florida-to-help-people-evacuate/">
    a universal back door in the software</a> to temporarily increase
    this limit.</p>

    <p>While remotely allowing car “owners” to use the
    whole battery capacity did not do them any harm, the same back
    door would permit Tesla (perhaps under the command of some
    government) to remotely order the car to use none of its battery. Or
    perhaps to drive its passenger to a torture prison.</p>
  </li>

  <li id="M201702170">
    <p>The mobile apps for communicating <a
    href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
    a smart but foolish car have very bad security</a>.</p>

    <p>This is in addition to the fact that the car contains a cellular
    modem that tells big brother all the time where it is.  If you own
    such a car, it would be wise to disconnect the modem so as to turn
    off the tracking.</p>
  </li>

  <li id="M201611060">
    <p><a
    href="http://jalopnik.com/america-figured-out-a-new-way-audi-cheated-on-emissions-1788630969">
    Audi's proprietary software used a simple method to cheat on emissions
    tests</a>: to activate a special low-emission gearshifting mode until
    the first time the car made a turn.</p>
  </li>

  <li id="M201608110">
    <p>Due to weak security, <a
    href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it
    is easy to conceal.</p> open the doors of 100 million cars built by
    Volkswagen</a>.</p>
  </li>
  
<li>
<p><a href="https://www.eff.org/deeplinks/2013/11/drm-cars-will-drive-consumers-crazy">
DRM in

  <li id="M201607160">
    <p id="car-spying">Computerized cars will drive consumers crazy</a>.</p> with nonfree software are <a
    href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
    snooping devices</a>.</p>
  </li>
  
<li>
<p>
The

  <li id="M201602240">
    <p id="nissan-modem">The Nissan Leaf has a built-in
    cell phone modem which allows effectively anyone to <a
    href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">
    access its computers remotely and make changes in various
    settings</a>.</p>

    <p>That's easy to do because the system has no authentication
    when accessed through the modem.  However, even if it asked
    for authentication, you couldn't be confident that Nissan
    has no access.  The software in the car is proprietary, <a
    href="/philosophy/free-software-even-more-important.html">which means
    it demands blind faith from its users</a>.</p>

    <p>Even if no one connects to the car remotely, the cell phone modem
    enables the phone company to track the car's movements all the time;
    it is possible to physically remove the cell phone modem modem, though.</p>
  </li>
  
<li>

  <li id="M201511194">
    <p>Caterpillar vehicles come with <a
    href="http://www.zerohedge.com/news/2015-11-19/caterpillar-depression-has-never-been-worse-it-has-cunning-plan-how-deal-it">
    a back door to shutoff the engine</a> remotely.</p>
  </li>

  <li id="M201508120">
    <p>Security researchers discovered a <a
    href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text">
    vulnerability in diagnostic dongles used for vehicle tracking and
    insurance</a> that let them take remote control of a car or lorry
    using an SMS.</p>
  </li>
  
<li>

  <li id="M201507214">
    <p>Crackers were able to <a
    href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">
    take remote control of the Jeep</a> “connected car”.</p>

<p>They car”. They
    could track the car, start or stop the engine, and activate or
    deactivate the brakes, and more.</p>

<p>I

    <p>We expect that Chrysler and the NSA can do this too.</p>

    <p>If I ever you own a car, and it car that contains a portable phone, I will phone modem, it would be a good
    idea to deactivate that.</p> this.</p>
  </li>

<li>
<p>It is possible to <a
href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">
take control of some car computers through malware in music files</a>.
Also <a
href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">by
radio</a>.  More information

  <li id="M201311130">
    <p><a
    href="https://www.eff.org/deeplinks/2013/11/drm-cars-will-drive-consumers-crazy">
    DRM in <a
href="http://www.autosec.org/faq.html"> Automotive Security And
Privacy Center</a>.</p> cars will drive consumers crazy</a>.</p>
  </li>

<li><p>Computerized

  <li id="M201306140">
    <p>Tesla cars with nonfree software are allow the company to extract
    data remotely and determine the car's location
    at any time. (See Section 2, paragraphs b and c of the <a
href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
snooping devices</a>.</p>
    href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf">
    privacy statement</a>.) The company says it doesn't store this
    information, but if the state orders it to get the data and hand it
    over, the state can store it.</p>
  </li>

<li>
<p>Proprietary

  <li id="M201303250">
    <p id="records-drivers">Proprietary software in cars <a
    href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/">
    records information about drivers' movements</a>, which is made
    available to car manufacturers, insurance companies, and others.</p>

    <p>The case of toll-collection systems, mentioned in this article,
    is not really a matter of proprietary surveillance. These systems
    are an intolerable invasion of privacy, and should be replaced with
    anonymous payment systems, but the invasion isn't done by malware. The
    other cases mentioned are done by proprietary malware in the car.</p>
  </li>

<li>
<p>Tesla cars allow the company

  <li id="M201103110">
    <p>It is possible to extract data remotely and determine
the car's location at any time.  (See <a
href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf">
Section 2, paragraphs b and c.</a>).  The company says it doesn't
store this information, but if the state orders it to get the data and
hand it over, the state can store it.</p>
    href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">  
    take control of some car computers through malware in music files</a>. 
    Also <a
    href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">
    by radio</a>. More information in <a
    href="http://www.autosec.org/faq.html"> Automotive Security And
    Privacy Center</a>.</p>
  </li>
</ul>

</div><!-- for id="content", starts in the include above
</div>

</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2017 2017-2020 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2020/10/17 08:05:07 $
<!-- timestamp end -->
</p>
</div>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>