Brian Thomas

Brian Thomas

Based in Cincinnati, OH, the Brian Thomas Morning Show covers news and politics, both local and national, from a conservative point of view.Read More

 

Tech Friday with Dave Hatter - October 15th 2021 - SPONSORED BY INTRUST IT


Privacy Reset: A guide to the important settings you should change now

https://www.washingtonpost.com/technology/interactive/2021/privacy-settings-guide/

What your car knows about you:

  • Most new cars are rolling computers bristling with sensors and the track a ton of data
  • A wide variety of information is captured including speed, acceleration, braking, vehicle performance, and locations information
  • It may also contain call logs, contacts, text messages, voice commands and web histories
  • Law enforcement increasingly rely on digital vehicle forensics for evidence
  • The Driver Privacy Act of 2015 regulates a vehicle’s event data recorder, but there are no rules on the other data your car collects
  • Unfortunately, the privacy and security measures on these systems are much weaker than a smartphone or computer
  • Washington Post writer Geoffrey Fowler recently reported on the attempts by a hacker to determine what information is being collected by the systems in a randomly selected 2017 car
  • Fowler wanted to see just how much information GM is getting from its connected cars and chose a 2017 Volt for testing
  • Fowler wrote "My Chevy's dashboard didn't say what the car was recording. It wasn't in the owner's manual. There was no way to download it"
  • It's unclear exactly what data is collected, who has access to it, how it might be shared, or how it's secured
  • A GM spokesperson told Car and Driver: "Nothing happens in terms of connected services without customer consent"
  • GM said vehicle data such as location, vehicle health and status, and operating information "enables many important safety and connectivity services [including] automatic crash notification (alerting first responders to an accident scene), stolen vehicle locator, and vehicle health monitoring (monthly emails to an owner advising them of service and maintenance status)."
  • He discovered the car was recording details about where the car was driven and parked, call logs, identification information for his phone and contact information from his phone, "right down to people's address, emails and even photos."
  • Fowler said "On a recent drive, a 2017 Chevrolet collected my precise location. It stored my phone’s ID and the people I called. It judged my acceleration and braking style, beaming back reports to its maker General Motors over an always-on Internet connection"
  • Fowler also purchased a a Chevy infotainment computer on eBay, which yielded information about the previous owner including pictures of an individual that the previous owner referred to as "Sweetie:
  • Data collection such as that mentioned above is not unique to any one brand or model, nearly all newer cars have connectivity and nearly all of them are collecting data to some extent
  • A security researcher bought an old Tesla infotainment system full of personal information about the previous owner including home address and WiFi passwords
  • eBay has infotainment systems from brands such as BMW, Ford, Cadillac and Mercedes-Benz currently for sale
  • "This isn't just a Tesla thing, it's every single infotainment system," said Justin Schorr, president of DJS Associates, a vehicle forensics firm that reconstructs crashes using on-board data. "Think of all the vehicles with screens, this is ubiquitous almost."
  • "Everything that can be used for a nefarious purpose, will eventually be found by a nefarious person and used for a nefarious purpose," Schorr said. "If you pair your phone with a rental car, and that car gets in a crash two years later, personal information about you could be pulled off it."
  • In 2017, the U.S. Government Accountability Office (GAO) explored the data privacy policies of automakers and found that the 13 companies under their lens are not exactly using best practices
  • The GAO said that manufacturers "offered few options besides opting out of all connected vehicle services to consumers who did not want to share their data."
  • At present, there are no federal laws to regulate what automakers can collect or use when it comes to personal driving data
  • Since 2014, 20 automakers (including GM) have pledged "to meet or exceed commitments contained in the Automotive Consumer Privacy Protection Principles established to protect personal information collected through in-car technologies," according to the Auto Alliance
  • The first principle is "provide customers with clear, meaningful information about the types of information collected and how it is used"
  • It does not appear that the first principle is being met
  • New regulations such as the California Consumer Privacy Act (CCPA) may force new practices
  • You can limit the amount of information that a car can collect by not connecting your phone to the car via USB or Bluetooth,charge it using a charger
  • Fowler recommended an app called "Privacy4Cars" to remove your data from cars you use but don't own:https://www.privacy4cars.com/home/default.aspx
  • Phil Neray from start-up CyberX, suggested doing a factory reset and/or taking your vehicle to a dealer and ask them to wipe it clean of data before selling it
  • 5G connectivity may make it more difficult to restrict access to your data in the future
  • Read the GAO report here:https://www.gao.gov/assets/690/686284.pdf
  • Read Fowler's article here:https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/

FBI warns of Hijacked IoT devices used for "Swatting"

  • Swatting is a dangerous prank where law enforcement is sent to a home under the premise of an emergency
  • Previously, bad actors would spoof phone numbers to make an emergency call appear to come from the victim
  • Hackers are using stolen or cracked email credentials to hijack IoT devices like Ring doorbells
  • They then report an emergency and then watch as law enforcement responds
  • In a statement, the FBI said "Swatting may be motivated by revenge, used as a form of harassment, or used as a prank, but it is a serious crime that may have potentially deadly consequences"
  • The FBI said that making a call from an on-premises security device lends authenticity to the call
  • "To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers." - FBI
  • The FBI said "As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms."
  • A recent assessment of second-tier smart doorbells by NCC Group found vulnerabilities rendered these devices more harmful than helpful.
  • They classified the popular gadgets a "domestic IoT nightmare"
  • Vice has reported finding posts on hacker forums offering Ring credential stuffing software for as little as $6.
  • Beware of IoT devices and stick to the most well-known brands if you buy them

Sponsored Content

Sponsored Content