<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.84 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Please do not edit <ul class="blurbs">!
    Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
           See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-->
<title>Malware In Cars
- GNU Project - Free Software Foundation</title>
<link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" />
 <!--#include virtual="/proprietary/po/malware-cars.translist" -->
<!--#include virtual="/server/banner.html" -->
<div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
 <img id="side-menu-icon" height="32"
      src="/graphics/icons/side-menu.png"
      title="Section contents"
      alt=" [Section contents] " />
</a>

<p class="breadcrumb">
 <a href="/"><img src="/graphics/icons/home.png" height="24"
    alt="GNU Home" title="GNU Home" /></a> /
 <a href="/proprietary/proprietary.html">Malware</a> /
 By product /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width">
<h2>Malware In Cars</h2>

<p><a href="/proprietary/proprietary.html">Other examples

<div class="infobox">
<hr class="full-width" />
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers and manufacturers often exercise
that power to the detriment of the users they ought to serve.</p>

<p>This typically takes the form of malicious functionalities.</p>
<hr class="full-width" />
</div>

<div class="article">
<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>

<div class="column-limit" id="malware-cars"></div>

<ul class="blurbs">
  <li id="M202008181">
    <!--#set var="DATE" value='<small class="date-tag">2020-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>New Toyotas will <a
    href="https://www.theregister.com/2020/08/18/aws_toyota_alliance/">
    upload data to AWS to help create custom insurance premiums</a>
    based on driver behaviour.</p>

    <p>Before you buy a “connected” car, make sure you can
    disconnect its cellular antenna and its GPS antenna.  If you want
    GPS navigation, get a separate navigator which runs free software
    and works with Open Street Map.</p>
  </li>

  <li id="M202007010">
    <!--#set var="DATE" value='<small class="date-tag">2020-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>BMW will remotely <a
    href="https://www.cnet.com/roadshow/news/bmw-vehicle-as-a-platform/">
    enable and disable functionality in cars</a> through a universal
    back door.</p>
  </li>

  <li id="M201912171">
    <!--#set var="DATE" value='<small class="date-tag">2019-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Most modern cars now <a
    href="https://boingboing.net/2019/12/17/cars-now-run-on-the-new-oil.html">
    record and send various kinds of data to the manufacturer</a>. For
    the user, access to the data is nearly impossible, as it involves
    cracking the car's computer, which is always hidden and running with
    proprietary software.</p>
  </li>

  <li id="M201909160">
    <!--#set var="DATE" value='<small class="date-tag">2019-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tesla users claim Tesla <a
    href="https://www.reuters.com/article/us-tesla-battery/tesla-owner-lawsuit-claims-software-update-fraudulently-cut-battery-capacity-idUSKCN1UY2TW">force-installed
    software to cut down on battery range</a>, rather than replace the
    defective batteries. Tesla did this to avoid having to run their
    warranty.</p>

    <p>This means that proprietary malware</a></p>

<p>Here software can potentially be a way to
    commit perjury with impunity.</p>
  </li>

  <li id="M201904150">
    <!--#set var="DATE" value='<small class="date-tag">2019-04</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="M201509210">Volkswagen programmed its car engine computers to <a
    href="https://www.petri.com/volkswagen-used-software-to-cheat-on-emissions">
    detect the Environmental Protection Agency's emission tests</a>, and
    run dirty the rest of the time. In real driving, the cars exceeded
    emissions standards by a factor of up to 35.</p>

    <p>Using free software would not have stopped Volkswagen from
    programming it this way, but would have made it harder to conceal,
    and given the users the possibility of correcting the deception.</p>

    <p>Former executives of Volkswagen are examples being <a
    href="https://www.theguardian.com/business/2019/apr/15/former-head-of-volkswagen-could-face-10-years-in-prison">
    sued over this fraud</a>.</p>
  </li>

  <li id="M201903290">
    <!--#set var="DATE" value='<small class="date-tag">2019-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tesla cars collect lots of malware personal data, and <a
    href="https://www.cnbc.com/2019/03/29/tesla-model-3-keeps-data-like-crash-videos-location-phone-contacts.html">
    when they go to a junkyard the driver's personal data goes with
    them</a>.</p>
  </li>

  <li id="M201902011">
    <!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The FordPass Connect feature of some Ford vehicles has <a
    href="https://www.myfordpass.com/content/ford_com/fp_app/en_us/termsprivacy.html">
    near-complete access to the internal car network</a>. It is constantly
    connected to the cellular phone network and sends Ford a lot of data,
    including car location. This feature operates even when the ignition
    key is removed, and users report that they can't disable it.</p>

    <p>If you own one of these cars, have you succeeded in cars.</p>

<ul>  
<li>
<p>Tesla used breaking the
    connectivity by disconnecting the cellular modem, or wrapping the
    antenna in aluminum foil?</p>
  </li>

  <li id="M201812300">
    <!--#set var="DATE" value='<small class="date-tag">2018-12</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>New GM cars <a
    href="https://media.gm.com/media/us/en/gmc/vehicles/canyon/2019.html">
    offer the feature of a universal backdoor back door</a>.</p>

    <p>Every nonfree program offers the user zero security against its
    developer. With this malfeature, GM has explicitly made things even
    worse.</p>
  </li>

  <li id="M201811300">
    <!--#set var="DATE" value='<small class="date-tag">2018-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>In China, it is mandatory for electric
    cars to be equipped with a terminal that <a
    href="https://www.apnews.com/4a749a4211904784826b45e812cff4ca">
    transfers technical data, including car location,
    to a government-run platform</a>. In practice, <a
    href="/proprietary/proprietary-surveillance.html#car-spying">
    manufacturers collect this data</a> as part of their own spying, then
    forward it to the government-run platform.</p>
  </li>

  <li id="M201810230">
    <!--#set var="DATE" value='<small class="date-tag">2018-10</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>GM <a
    href="https://boingboing.net/2018/10/23/dont-touch-that-dial.html">
    tracked the choices of radio programs</a> in its software
    “connected” cars, minute by minute.</p>

    <p>GM did not get users' consent, but it could have got that easily by
    sneaking it into the contract that users sign for some digital service
    or other. A requirement for consent is effectively no protection.</p>

    <p>The cars can also collect lots of other data: listening to limit customers you,
    watching you, following your movements, tracking passengers' cell
    phones. <em>All</em> such data collection should be forbidden.</p>

    <p>But if you really want to
using just be safe, we must make sure the car's
    hardware cannot collect any of that data, or that the software
    is free so we know it won't collect any of that data.</p>
  </li>

  <li id="M201711230">
    <!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>AI-powered driving apps can <a href="https://techcrunch.com/2017/09/09/tesla-flips-a-switch-to-increase-the-range-of-some-cars-in-florida-to-help-people-evacuate/">
    href="https://www.vice.com/en/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move">
    track your every move</a>.</p>
  </li>

  <li id="M201709290">
    <!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Bad security in some cars makes it possible to <a
    href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937">
    remotely activate the airbags</a>.</p>
  </li>

  <li id="M201709090.1">
    <!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tesla used software to limit the part of the battery of
    that was available to customers in some cars</a>.</p> cars, and <a
    href="https://techcrunch.com/2017/09/09/tesla-flips-a-switch-to-increase-the-range-of-some-cars-in-florida-to-help-people-evacuate/">
    a universal back door in the software</a> to temporarily increase
    this limit.</p>

    <p>While remotely allowing car “owners” to use the
    whole battery capacity did not do them any harm, the same back
    door would permit Tesla (perhaps under the command of some
    government) to remotely order the car to use none of its battery. Or
    perhaps to drive its passenger to a torture prison.</p>
  </li>
  
<li>

  <li id="M201702170">
    <!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>The mobile apps for communicating <a
    href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
    a smart but foolish car have very bad security</a>.</p>

    <p>This is in addition to the fact that the car contains a cellular
    modem that tells big brother all the time where it is.  If you own
    such a car, it would be wise to disconnect the modem so as to turn
    off the tracking.</p>
  </li>

  <li id="M201611060">
    <!--#set var="DATE" value='<small class="date-tag">2016-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="http://jalopnik.com/america-figured-out-a-new-way-audi-cheated-on-emissions-1788630969">
    Audi's proprietary software used a simple method to cheat on emissions
    tests</a>: to activate a special low-emission gearshifting mode until
    the first time the car made a turn. turn.</p>
  </li>
  
<li>
<p>Caterpillar vehicles come with a <a
href="http://www.zerohedge.com/news/2015-11-19/caterpillar-depression-has-never-been-worse-it-has-cunning-plan-how-deal-it">
back-door

  <li id="M201608110">
    <!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Due to shutoff the engine</a> remotely.</p>
</li>
  
<li>
<p><a
href="https://www.petri.com/volkswagen-used-software-to-cheat-on-emissions">
Volkswagen programmed its car engine computers weak security, <a
    href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it
    is easy to detect open the
Environmental Protection Agency's emission tests</a>,
and run dirty the rest doors of the time.</p>

<p>In real driving, the 100 million cars exceeded emissions standards built by a factor
of up to 35.</p>

<p>Using free software would not have stopped Volkswagen from
programming it this way, but would have made it harder to conceal.</p>
    Volkswagen</a>.</p>
  </li>
  
<li>
<p><a href="https://www.eff.org/deeplinks/2013/11/drm-cars-will-drive-consumers-crazy">
DRM in

  <li id="M201607160">
    <!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="car-spying">Computerized cars will drive consumers crazy</a>.</p> with nonfree software are <a
    href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
    snooping devices</a>.</p>
  </li>
  
<li>
<p>
The

  <li id="M201602240">
    <!--#set var="DATE" value='<small class="date-tag">2016-02</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="nissan-modem">The Nissan Leaf has a built-in
    cell phone modem which allows effectively anyone to <a
    href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">
    access its computers remotely and make changes in various
    settings</a>.</p>

    <p>That's easy to do because the system has no authentication
    when accessed through the modem.  However, even if it asked
    for authentication, you couldn't be confident that Nissan
    has no access.  The software in the car is proprietary, <a
    href="/philosophy/free-software-even-more-important.html">which means
    it demands blind faith from its users</a>.</p>

    <p>Even if no one connects to the car remotely, the cell phone modem
    enables the phone company to track the car's movements all the time;
    it is possible to physically remove the cell phone modem modem, though.</p>
  </li>
  
<li>

  <li id="M201511194">
    <!--#set var="DATE" value='<small class="date-tag">2015-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Caterpillar vehicles come with <a
    href="http://www.zerohedge.com/news/2015-11-19/caterpillar-depression-has-never-been-worse-it-has-cunning-plan-how-deal-it">
    a back door to shutoff the engine</a> remotely.</p>
  </li>

  <li id="M201508120">
    <!--#set var="DATE" value='<small class="date-tag">2015-08</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Security researchers discovered a <a
    href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text">
    vulnerability in diagnostic dongles used for vehicle tracking and
    insurance</a> that let them take remote control of a car or lorry
    using an SMS.</p>
  </li>
  
<li>

  <li id="M201507214">
    <!--#set var="DATE" value='<small class="date-tag">2015-07</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Crackers were able to <a
    href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">
    take remote control of the Jeep</a> “connected car”.</p>

<p>They car”. They
    could track the car, start or stop the engine, and activate or
    deactivate the brakes, and more.</p>

<p>I

    <p>We expect that Chrysler and the NSA can do this too.</p>

    <p>If I ever you own a car, and it car that contains a portable phone, I will phone modem, it would be a good
    idea to deactivate that.</p> this.</p>
  </li>

<li>
<p>It is possible to <a
href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">
take control of some car computers through malware in music files</a>.
Also <a
href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">by
radio</a>.  More information

  <li id="M201311130">
    <!--#set var="DATE" value='<small class="date-tag">2013-11</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p><a
    href="https://www.eff.org/deeplinks/2013/11/drm-cars-will-drive-consumers-crazy">
    DRM in <a
href="http://www.autosec.org/faq.html"> Automotive Security And
Privacy Center</a>.</p> cars will drive consumers crazy</a>.</p>
  </li>

<li><p>Computerized

  <li id="M201306140">
    <!--#set var="DATE" value='<small class="date-tag">2013-06</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>Tesla cars with nonfree software are allow the company to extract
    data remotely and determine the car's location
    at any time. (See Section 2, paragraphs b and c of the <a
href="http://www.thelowdownblog.com/2016/07/your-cars-been-studying-you-closely-and.html">
snooping devices</a>.</p>
    href="https://www.tesla.com/sites/default/files/pdfs/en_US/tmi_privacy_statement_external_6-14-2013_v2.pdf">
    privacy statement</a>.) The company says it doesn't store this
    information, but if the state orders it to get the data and hand it
    over, the state can store it.</p>
  </li>

<li>
<p>Proprietary

  <li id="M201303250">
    <!--#set var="DATE" value='<small class="date-tag">2013-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p id="records-drivers">Proprietary software in cars <a
    href="http://www.usatoday.com/story/money/cars/2013/03/24/car-spying-edr-data-privacy/1991751/">
    records information about drivers' movements</a>, which is made
    available to car manufacturers, insurance companies, and others.</p>

    <p>The case of toll-collection systems, mentioned in this article,
    is not really a matter of proprietary surveillance. These systems
    are an intolerable invasion of privacy, and should be replaced with
    anonymous payment systems, but the invasion isn't done by malware. The
    other cases mentioned are done by proprietary malware in the car.</p>
  </li>

<li>
<p>Tesla cars allow the company

  <li id="M201103110">
    <!--#set var="DATE" value='<small class="date-tag">2011-03</small>'
    --><!--#echo encoding="none" var="DATE" -->
    <p>It is possible to extract data remotely and determine
the car's location at any time.  (See <a
href="http://www.teslamotors.com/sites/default/files/pdfs/tmi_privacy_statement_external_6-14-2013_v2.pdf">
Section 2, paragraphs b and c.</a>).  The company says it doesn't
store this information, but if the state orders it to get the data and
hand it over, the state can store it.</p>
    href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">  
    take control of some car computers through malware in music files</a>. 
    Also <a
    href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">
    by radio</a>. More information in <a
    href="http://www.autosec.org/faq.html"> Automotive Security And
    Privacy Center</a>.</p>
  </li>
</ul>

</div><!-- for id="content", starts in the include above
</div>

</div>
<!--#include virtual="/proprietary/proprietary-menu.html" -->
<!--#include virtual="/server/footer.html" -->
<div id="footer"> id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting contributing translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2017 2017-2021 Free Software Foundation, Inc.</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
href="http://creativecommons.org/licenses/by/4.0/">Creative
Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2021/06/08 08:44:43 $
<!-- timestamp end -->
</p>
</div>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>