Malware In Cars


Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.

This typically takes the form of malicious functionalities.


If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.

  • 2023-11

    Recent autos offer a feature by which the drivers can connect their snoop-phones to the car. That feature snoops on the calls and texts and gives the data to the car manufacturer, and to the state.

    A good privacy law would prohibit cars recording this data about the users' activities. But not just this data—lots of other data too.

  • 2023-09

    In an article from Mozilla, every car brand they researched has failed their privacy tests. Some car manufacturers explicitly mention that they collect data which includes “sexual activities” and “genetic information”. Not only collecting any of such data is a huge privacy violation in the first place, some companies assume drivers and passengers' consent before they get in the car. Notably, Tesla threatens that the car may be “inoperable” if the user opts out of data collection.

  • 2023-07

    Driverless cars in San Francisco collect videos constantly, using cameras inside and outside, and governments have already collected those videos secretly.

    As the Surveillance Technology Oversight Project says, they are “driving us straight into authoritarianism.” We must regulate all cameras that collect images that can be used to track people, to make sure they are not used for that.

  • 2023-04

    Tesla cars record videos of activity inside the car, and company staff can watch those recordings and copy them. Or at least they were able to do so until last year.

    Tesla may have changed some security functions so that this is harder to do. But if Tesla can get those recordings, that is because it is planning for some people to use them in some situation, and that is unjust already. It should be illegal to make a car that takes photos or videos of the people in the car—or of people outside the car.

  • 2023-04

    GM is switching to a new audio/video system in its cars in order to collect complete information about what people in the car watch or listen to, and also how they drive.

    The new system for navigation and “driving assistance” will be tethered to various online dis-services, and GM will snoop on everything the users do with them. But don't feel bad about that, because some of these subscriptions will be gratis for the first 8 years.

  • 2023-02

    Volkswagen tracks the location of every driver, and sells that data to third-parties. However, it refuses to use the data to implement a feature for the benefit of its customers unless they pay extra money for it.

    This came to attention and brought controversy when Volkswagen refused to locate a car-jacked vehicle with a toddler in it because the owner of the car had not subscribed to the relevant service.

  • 2022-11

    Hackers discovered dozens of flaws in the security (in the usual narrow sense) of many brands of automobiles.

    Security in the usual narrow sense means security against unknown third parties. We are more concerned with security in the broader sense—against the manufacturer as well as against unknown third parties. It is clear that each of these vulnerabilities can be exploited by the manufacturer too, and by any government that can threaten the manufacturer enough to compel the manufacturer's cooperation.

  • 2022-08

    Tesla sells an add-on software feature that drivers are not allowed to use.

    This practice depends on a back door, which is unjust in itself. Asking users to buy something years in advance to avoid having to pay an even higher price later is manipulative.

  • 2022-07

    The nonfree software in a Tesla artificially limits the car's driving range, demanding ransom to unlock the battery's full charge.

    This is one more reason why cars must not be “connected.”

  • 2022-07

    BMW is now luring British customers into paying for the built-in heated-seat feature of their new cars on a subscription basis. People also have the option to buy the feature when they are paying for the car, but those who bought a used car have to pay BMW extra money to remotely enable the heated seats. This is probably done by BMW accessing a back door in the car software.

  • 2022-07

    A bug in Tesla cars software lets crackers install new car keys, unlock cars, start engines, and even prevent real owners from accessing their cars.

    A cracker even reported that he was able to disable security systems and take control of 25 cars.

    Please note that these articles wrongly use the word “hacker” instead of cracker.
  • 2021-11

    Hundreds of Tesla drivers were locked out of their cars as a result of Tesla's app suffering from an outage, which happened because the app is tethered to the company's servers.

  • 2020-08

    New Toyotas will upload data to AWS to help create custom insurance premiums based on driver behaviour.

    Before you buy a “connected” car, make sure you can disconnect its cellular antenna and its GPS antenna. If you want GPS navigation, get a separate navigator which runs free software and works with Open Street Map.

  • 2020-07

    BMW will remotely enable and disable functionality in cars through a universal back door.

  • 2019-12

    Most modern cars now record and send various kinds of data to the manufacturer. For the user, access to the data is nearly impossible, as it involves cracking the car's computer, which is always hidden and running with proprietary software.

  • 2019-12

    As tech companies add microphones to a wide range of products, including refrigerators and motor vehicles, they also set up transcription farms where human employees listen to what people say and tweak the recognition algorithms.

  • 2019-09

    Tesla users claim Tesla force-installed software to cut down on battery range, rather than replace the defective batteries. Tesla did this to avoid having to run their warranty.

    This means that proprietary software can potentially be a way to commit perjury with impunity.

  • 2019-04

    Volkswagen programmed its car engine computers to detect the Environmental Protection Agency's emission tests, and run dirty the rest of the time. In real driving, the cars exceeded emissions standards by a factor of up to 35.

    Using free software would not have stopped Volkswagen from programming it this way, but would have made it harder to conceal, and given the users the possibility of correcting the deception.

    Former executives of Volkswagen are being sued over this fraud.

  • 2019-03

    Tesla cars collect lots of personal data, and when they go to a junkyard the driver's personal data goes with them.

  • 2019-02

    The FordPass Connect feature of some Ford vehicles has near-complete access to the internal car network. It is constantly connected to the cellular phone network and sends Ford a lot of data, including car location. This feature operates even when the ignition key is removed, and users report that they can't disable it.

    If you own one of these cars, have you succeeded in breaking the connectivity by disconnecting the cellular modem, or wrapping the antenna in aluminum foil?

  • 2018-12

    New GM cars offer the feature of a universal back door.

    Every nonfree program offers the user zero security against its developer. With this malfeature, GM has explicitly made things even worse.

  • 2018-11

    In China, it is mandatory for electric cars to be equipped with a terminal that transfers technical data, including car location, to a government-run platform. In practice, manufacturers collect this data as part of their own spying, then forward it to the government-run platform.

  • 2018-10

    GM tracked the choices of radio programs in its “connected” cars, minute by minute.

    GM did not get users' consent, but it could have got that easily by sneaking it into the contract that users sign for some digital service or other. A requirement for consent is effectively no protection.

    The cars can also collect lots of other data: listening to you, watching you, following your movements, tracking passengers' cell phones. All such data collection should be forbidden.

    But if you really want to be safe, we must make sure the car's hardware cannot collect any of that data, or that the software is free so we know it won't collect any of that data.

  • 2017-11

    AI-powered driving apps can track your every move.

  • 2017-09

    Bad security in some cars makes it possible to remotely activate the airbags.

  • 2017-09

    Tesla used software to limit the part of the battery that was available to customers in some cars, and a universal back door in the software to temporarily increase this limit.

    While remotely allowing car “owners” to use the whole battery capacity did not do them any harm, the same back door would permit Tesla (perhaps under the command of some government) to remotely order the car to use none of its battery. Or perhaps to drive its passenger to a torture prison.

  • 2017-02

    The mobile apps for communicating with a smart but foolish car have very bad security.

    This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such a car, it would be wise to disconnect the modem so as to turn off the tracking.

  • 2016-11

    Audi's proprietary software used a simple method to cheat on emissions tests: to activate a special low-emission gearshifting mode until the first time the car made a turn.

  • 2016-08

    Due to weak security, it is easy to open the doors of 100 million cars built by Volkswagen.

  • 2016-07

    Computerized cars with nonfree software are snooping devices.

  • 2016-02

    The Nissan Leaf has a built-in cell phone modem which allows effectively anyone to access its computers remotely and make changes in various settings.

    That's easy to do because the system has no authentication when accessed through the modem. However, even if it asked for authentication, you couldn't be confident that Nissan has no access. The software in the car is proprietary, which means it demands blind faith from its users.

    Even if no one connects to the car remotely, the cell phone modem enables the phone company to track the car's movements all the time; it is possible to physically remove the cell phone modem, though.

  • 2015-11

    Caterpillar vehicles come with a back door to shutoff the engine remotely.

  • 2015-08

    Security researchers discovered a vulnerability in diagnostic dongles used for vehicle tracking and insurance that let them take remote control of a car or lorry using an SMS.

  • 2015-07

    Crackers were able to take remote control of the Jeep “connected car”. They could track the car, start or stop the engine, and activate or deactivate the brakes, and more.

    We expect that Chrysler and the NSA can do this too.

    If you own a car that contains a phone modem, it would be a good idea to deactivate this.

  • 2013-11

    DRM in cars will drive consumers crazy.

  • 2013-06

    Tesla cars allow the company to extract data remotely and determine the car's location at any time. (See Section 2, paragraphs b and c of the privacy statement.) The company says it doesn't store this information, but if the state orders it to get the data and hand it over, the state can store it.

  • 2013-03

    Proprietary software in cars records information about drivers' movements, which is made available to car manufacturers, insurance companies, and others.

    The case of toll-collection systems, mentioned in this article, is not really a matter of proprietary surveillance. These systems are an intolerable invasion of privacy, and should be replaced with anonymous payment systems, but the invasion isn't done by malware. The other cases mentioned are done by proprietary malware in the car.

  • 2011-03

    It is possible to take control of some car computers through malware in music files. Also by radio. More information in Automotive Security And Privacy Center.